sionsoscommerce

UserSessionModelingforEffectiveApplicationIntrusionDetectionKapilKumarGupta,BaikunthNath(Sr.
MIEEE)andKotagiriRamamohanaraoAbstractWiththenumberofdatabreachesonarise,effectiveandefcientdetec-tionofanomalousactivitiesinapplicationswhichmanagesdataiscritical.
Inthispaper,weintroduceanovelapproachtoimproveattackdetectionatapplicationlayerbymodelingusersessionsasasequenceofeventsinsteadofanalyzingeverysingleeventinisolation.
Wealsoarguethatcombiningapplicationaccesslogsandthecor-respondingdataaccesslogstogenerateuniedlogseliminatestheneedtoanalyzethemseparatelytherebyresultinginanefcientandaccuratesystem.
Weevaluatevariousmethodssuchasconditionalrandomelds,supportvectormachines,deci-siontreesandnaiveBayes,andexperimentalresultsshowthatourapproachbasedonconditionalrandomeldsisfeasibleandcandetectattacksatanearlystageevenwhentheyaredisguisedwithinnormalevents.
1IntroductionDetectingintrusionsisachallengebecauseitisimportanttodetectmaliciouseventsatanearlystageinordertominimizetheirimpact.
Thisbecomesmoreimportantwhenattackerscomeupwithpreviouslyunseenattacksevenwhenthepresentsys-temsareunabletodetectallexistingattackswithacceptablereliability[13].
Further,withmoreandmoredatabecomingavailableindigitalformatandmoreapplicationsbeingdevelopedtoaccessthisdata,thedataandapplicationsareavictimofmali-ciousattackerswhoexploittheapplicationstogainaccesstosensitivedata.
Thus,thereisneedtodeveloprobustandefcientintrusiondetectionsystemswhichcandetectsuchmaliciousactivitiesatapplicationlayer.
KapilKumarGupta,BaikunthNath,KotagiriRamamohanaraoDepartmentofComputerScience&SoftwareEngineering,NICTAVictoriaResearchLaboratory,TheUniversityofMelbourne,Australia,3010.
e-mail:kgupta@csse.
unimelb.
edu.
au,bnath@csse.
unimelb.
edu.
au,rao@csse.
unimelb.
edu.
auPleaseusethefollowingformatwhencitingthischapter:Gupta,K.
K.
,Nath,B.
andRamamohanarao,K.
,2008,inIFIPInternationalFederationforInformationProcessing,Volume278;ProceedingsoftheIFIPTC1123rdInternationalInformationSecurityConference;SushilJajodia,PierangelaSamarati,StelvioCimato;(Boston:Springer),pp.
269–283.
270KapilKumarGupta,BaikunthNath(Sr.
MIEEE)andKotagiriRamamohanaraoIntrusiondetectionsystemsareclassiedassignaturebased,anomalybasedorhybridsystems[5].
Hybridsystemsgenerallyemploymachinelearningmethodswhilesignatureandanomalybasedsystemsareoftenbasedonpatternmatchingandstatisticalmethods.
Theadvantageofhybridsystemsisthattheyaretrainedusingnormalandanomalousdatapatternstogetherandhencecanbeusedtolabelnewunseeneventsreliablywhencomparedwithsignatureandanomalybasedsystemswhicharegenerallybasedonathreshold[21].
Intrusiondetectionsystemscanalsobeclassiedasnetworkbased,hostbasedorapplicationbased[5].
Inthispaper,weproposeanapplicationintrusiondetectionsystemwhichmodelsindividualusersessionsusingamovingwindowofevents.
Oneofthemaindraw-backsofpresentapplicationintrusiondetectionsystemsisthattheyarespecictoaparticularapplicationandcannotbegeneralized[19],[20].
However,ourproposedmodelisgeneralanddoesnotrequireapplicationspecicdetailstobeencoded.
Itonlyneedstobetrainedwiththelogsassociatedwithaparticularapplication.
Asanyapplicationintrusiondetectionsystem,oursystemismeanttoprovideanadditionallineofdefenseandnottoreplaceexistingnetworkbasedsystems.
Therestofthepaperisorganizedasfollows;weexplainourframeworkinSect.
2anddiscussthedatasetinSect.
3.
WegiveourexperimentalresultsinSect.
4.
WethendiscussrelatedworkinSect.
5anddrawconclusionsinSect.
6.
2ProposedModelIngeneral,therearetwomotivestolaunchanattack;eithertoforceanetworktostopsomeservicethatitisprovidingortostealsomeinformationstoredinanetwork.
Inthispaper,wefocusonthesecondmotive,i.
e.
,todetectmaliciousdataaccess.
However,whatisnormalandwhatisanomalousisnotdened,i.
e.
,aneventmaybenormalwhenmeasuredwithrespecttosomecriteriabutthesamemaybecalledasanomalouswhenthiscriteriaischanged.
Thus,theobjectiveistondanomaloustestpatternswhicharesimilartotheanomalouspatternswhichoccurredduringthetrainingwiththeassumptionthattheunderlyingmeasuringcriteriaisunchangedandthesystemistrainedsuchthatitcanreliablyseparatenormalandanomalousevents.
Thestraightforwardapproachistoauditeverydataaccessrequestbeforeitisprocessedanddataisretrievedbythesystem.
However,thisisnottheidealsolutionduetothefollowingreasons:1.
Thenumberofdatarequestsperunittimeisverylargeandmonitoringeveryrequestinrealtimeapplicationsseverelyaffectssystemperformance.
2.
Assumingthatwecansomehowmonitoreverydatarequest,thesystemmustberegularlyupdatedwithnewsignaturestodetectpreviouslyknownattacks(itstillcannotdetectzerodayattacks).
3.
Thesystemisapplicationspecicbecausethesignaturesaredenedbyencodingapplicationspecicknowledge.
UserSessionModelingforEffectiveApplicationIntrusionDetection271Thus,monitoringeverydatarequestisoftennotfeasibleinreallifeenvironment.
Wealsoobservethatrealworldapplicationsgenerallyfollowthethreetierarchi-tecture[1]whichensuresapplicationanddataindependence,i.
e.
,dataismanagedseparatelyandisnotencodedintotheapplication.
Hence,toaccessdata,anattackerhasnooptionbuttoexploitthisapplication.
Todetectsuchattacks,anintrusiondetectionsystemcaneithermonitortheapplicationrequestsor(and)monitorthedatarequests.
Aswediscussedabove,analyzingeverydataaccessisdifcultandlimitsthedetectioncapabilityoftheintrusiondetectionsystem.
Similarly,analyzingonlytheapplicationrequestsdoesnotprovideusefulinformationaboutthedataac-cessed.
Previoussystemssuchas[6],[9]and[15]considertheapplicationrequestsandthecorrespondingdatarequestsseparatelyand,hence,unabletocorrelatetheeventstogetherresultinginalargenumberoffalsealarms.
Beforeweexplainourframework,wedenesomekeytermswhichwillbehelpfulinbetterunderstandingofthepaper.
1.
Application:Anapplicationisasoftwarebywhichausercanaccessesdata.
Thereexistsnootherwayinwhichthedatacanbemadeavailabletoauser.
2.
User:Auseriseitheranindividualoranyanotherapplicationwhichaccessdata.
3.
Event:Datatransferbetweenauserandanapplicationisaresultofmultiplesequentialevents.
Datatransfercanbeconsideredasarequest-responsesystemwherearequestfordataaccessisfollowedbyaresponse.
Aneventisasinglerequest-responsepair.
WerepresentasingleeventasanNfeaturevector.
Inthispaper,weusethetermeventinterchangeablywiththetermrequest.
4.
UserSession:Ausersessionisanorderedsetofeventsoractionsperformed,i.
e.
,asessionisasequenceofoneormorerequest-responsepairs.
Everysessioncanbeuniquelyidentiedbyasession-id.
2.
1FrameworkWerepresentageneralframeworkforbuildingapplicationintrusiondetectionsys-temsinFig.
1.
Ourframeworkdoesnotencodeapplicationspecicknowledgemak-ingituseableforavarietyofapplications.
Toaccessdata,auseraccessestheap-plicationasinasimplethreetierarchitecture.
However,everyrequestrstpassesthroughthesessioncontrol.
Sessioncontrolisresponsibleforestablishingnewses-sionsandforcheckingthesession-idforpreviouslyestablishedsessions.
Forthis,itmaintainsalistofallthevalidsessionsthatareallowedtoaccesstheapplicationandhencethedata.
Everyrequesttoaccesstheapplicationischeckedforavalidsession-idatthesessioncontrolwhichcanbeblockedifitisfoundanomalousde-pendingupontheinstalledsecuritypolicy.
Thesessioncontrolcanbeimplementedaspartoftheapplicationitselforasaseparateentity.
Followingchecksfromthesessioncontrol,therequestissenttotheapplicationwhereitisprocessed.
Thewebserverlogseveryrequest.
Similarlyeverydataac-cessislogged.
Thetwologsarethencombinedtogenerateuniedlogswhichareanalyzedbytheintrusiondetectionsystemasrepresentedintheframework.
272KapilKumarGupta,BaikunthNath(Sr.
MIEEE)andKotagiriRamamohanaraoFig.
1Frameworkforbuild-ingApplicationIntrusionDetectionSystemWerepresentthestructureofatypicalusersessioninFig.
2.
Auserrequestsaresourcewhichgeneratesawebrequest.
Asweshalldiscusslater,weusedaPHPapplicationtogeneratedata.
WeconsiderawebrequesttobeasinglerequesttorenderaPHPpagebythewebserverandnotasingleHTTPGETrequestasitmaycontainmultipleimages,framesanddynamiccontent.
ThePHPpagecanbeeasilyidentiedfromthewebserverlogs.
Thisrequestfurthergeneratesoneormoredatarequestswhichdependonthelogicencodedintheapplication.
Tocaptureuser-applicationandapplication-datainteractions,weutilizefeaturesofboththewebserverlogsandtheassociateddataaccesslogstogenerateuniedlogs.
However,thenumberofdatarequestsisextremelylargeascomparedtothenumberofwebrequests.
Hence,werstprocessthedataaccesslogstogeneratesimplestatisticssuchasthenumberofqueriesinvokedbyasinglewebrequestandthetimetakentoprocessthemratherthananalyzingeverydataaccessindividually.
Wethenusethesession-idwhichispresentinboththewebserverlogsandtheassociateddataaccesslogstouniquelymaptheextractedstatistics(obtainedfromthedataaccesslogs)tothecorrespondingwebrequeststogenerateuniedlogs.
Fig.
2RepresentationofaSingleuserSessionThus,wegenerateauniedlogformatwhereeverysessionisrepresentedasasequenceofvectorsandisrepresentedbythefollowing6features:1.
Numberofdataqueriesgeneratedinasinglewebrequest.
UserSessionModelingforEffectiveApplicationIntrusionDetection2732.
Timetakentoprocesstherequest.
3.
Responsegeneratedfortherequest.
4.
Amountofdatatransferred(inbytes).
5.
Requestmade(orthefunctioninvoked)bytheclient.
6.
Referencetothepreviousrequestinthesamesession.
Webaccesslogscontainusefulinformationsuchasthedetailsofeveryrequestmadebyaclient(user),responseofthewebserver,amountofdatatransferredetc.
Similarly,dataaccesslogscontainimportantdetailssuchastheexactdatatableandcolumnsaccessed,incasethedataisstoredinadatabase.
Performingintrusionde-tectionatthedataaccesslevel,inisolation,requiressubstantiallymoreresourceswhencomparedtoourapproach.
Monitoringthetwologstogethereliminatestheneedtomonitoreverydataquerysincewecanusesimplestatistics.
Inordertogaindataaccessanattackerfollowsanumberofstepsandhence,toreducethenumberoffalsealarmsandincreasetheattackdetectionaccuracy,intrusiondetectionsys-temsmustbecapableofanalyzingentiresequenceofeventsratherthanconsideringeveryeventinisolation[24].
Tomodelsuchasequenceofeventvectors,weneedamethodthatdoesnotassumeindependenceamongsequentialevents.
Thus,weuseconditionalrandomeldwhichwedescribenext.
2.
2ConditionalRandomFieldsConditionalrandomelds[18]offerustherequiredframeworktobuildrobustintru-siondetectionsystems[11],[12].
Theprimeadvantageofconditionalrandomeldsisthattheyarediscriminativemodelswhichdirectlymodeltheconditionaldistribu-tionp(y|x).
Further,conditionalrandomeldsareundirectedmodelsandfreefromlabelbiasandobservationbiaswhicharepresentinotherconditionalmodels[16].
GenerativemodelssuchastheMarkovchains,hiddenMarkovmodels,naiveBayesandjointdistributionhavetwodisadvantages.
First,thejointdistributionisnotre-quiredsincetheobservationsarecompletelyvisibleandtheinterestisinndingthecorrectclasswhichistheconditionaldistributionp(y|x).
Second,inferringcondi-tionalprobabilityp(y|x)fromthejointdistribution,usingtheBayesrule,requiresmarginaldistributionp(x)whichisdifculttoestimateastheamountoftrainingdataislimitedandtheobservationxcontainshighlydependentfeatures.
Asare-sultstrongindependenceassumptionsaremadetoreducecomplexity.
Thisresultsinreducedaccuracy[22]andhencethesemethodsarenotconsideredinthispaper.
Instead,conditionalrandomeldspredictthelabelsequenceygiventheobservationsequencex,allowingthemtomodelarbitraryrelationshipsamongdifferentfeaturesintheobservationswithoutmakingindependenceassumptions.
Thegraphicalstruc-tureofaconditionalrandomeldisrepresentedinFig.
3.
Thefollowingmathematicaldescriptionofaconditionalrandomeldismoti-vatedfrom[18].
GivenXandY,therandomvariablesoverdatasequencetobela-beledandthecorrespondinglabelsequences,letG=(V,E)beagraphwithvertices274KapilKumarGupta,BaikunthNath(Sr.
MIEEE)andKotagiriRamamohanaraoFig.
3GraphicalRepresenta-tionofaConditionalRandomField.
x1,x2,x3,x4representsanobservedsequenceoflengthfourandeveryeventinthesequenceiscorrespond-inglylabeledasy1,y2,y3,y4.
Further,everyxiisafeaturevectoroflength'6'.
VandedgesEsuchthatY=(Yv)wherev∈VandYisrepresentedbythever-ticesofthegraphG,then,(X,Y)isaconditionalrandomeld,whenconditionedonX,therandomvariablesYvobeytheMarkovpropertywithrespecttothegraph:p(Yv|X,Yw,w=v)=p(Yv|X,Yw,wv),wherewvmeansthatwandvareneigh-borsinG,i.
e.
,aconditionalrandomeldisarandomeldgloballyconditionedonX.
Forasimplesequence(orchain)modeling,asinourcase,thejointdistributionoverthelabelsequenceYgivenXhastheform:pθ(y|x)∝exp(∑e∈E,kλkfk(e,y|e,x)+∑v∈V,kμkgk(v,y|v,x))(1)wherexisthedatasequence,yisalabelsequence,andy|sisthesetofcomponentsofyassociatedwiththeverticesoredgesinsubgraphS.
Also,thefeaturesfkandgkareassumedtobegivenandxed.
Theparameterestimationproblemistondtheparametersθ=(λ1,λ2,.
.
.
;μ1,μ2,.
.
.
)fromthetrainingdataD=(xi,yi)Ni=1withtheempiricaldistributionp(x,y).
Recentlytheconditionalrandomeldshavebeenshowntoworkverywellforintrusiondetection[11].
Thereasonforthisisthattheymakenounwarrantedassumptionsaboutthedata,andoncetrainedtheyareveryefcientandrobust.
Duringtesting,theViterbialgorithmisemployedwhichhasacomplexityofO(TL2),whereTisthelengthofthesequenceandListhenumberoflabels.
Thequadraticcomplexityisproblematicwhenthenumberoflabelsislarge,suchasinthelanguagetasks,butforintrusiondetectionwehavealimitednumberoflabels(normalandanomalous)andthusthesystemisefcient.
3DataDescriptionToperformourexperimentswecollecteddatalocallybysettingupanenvironmentthatmimicsarealworldapplicationenvironment.
Weusedanopensource,onlineshoppingapplication[2]anddeployeditonawebserverrunningApacheversion2.
0.
55andconnectedtoadatabaseserverrunningMySQLversion4.
1.
22.
Everyac-cesstothewebserverandthedataserverwaslogged.
Wecollectedboththenormalandtheattackdata.
Thedatasetismadefreelyavailableandcanbedownloadedfrom[10].
UserSessionModelingforEffectiveApplicationIntrusionDetection275Tocollectthenormaldataweaskedthestudentsinthedepartmenttoaccesstheapplication.
Thesystemfordatacollectionwasonlineforveconsecutivedays.
Fromthedataweobservedthatabout35differentusersaccessedtheapplicationwhichresultedin117uniquesessionscomposedof2,615webrequestsand232,655databaserequests.
WethencombinedthewebserverlogswiththedataserverlogstogeneratetheuniedlogsintheformatdiscussedinSect.
2.
1.
Hencewehave117sessionswithonly2,615eventsvectorswhichincludefeaturesofboththewebrequestsandtheassociateddatarequests.
Wealsoobservedthatalargenumberofusersessionswereterminatedwithoutactualpurchaseresultinginabandoningtheshoppingcart.
Thisisarealisticscenarioandinrealityalargenumberoftheshoppingcartsareabandonedwithoutpurchase.
AtypicalnormalsessioninthedatasetisrepresentedinFig.
4.
Fig.
4RepresentationofaNormalSessionTocollectattackdatawedisabledaccesstothesystembyanyotheruserandgeneratedattacktrafcmanuallybasedupontwocriteria;rst,theattackswhichdonotrequireanycontroloverthewebserverorthedatabasesuchasSQLinjectionand,second,theattackswhichrequiresomecontroloverthewebserversuchaswebsitedefacementandothers.
Theeventswereloggedandthesameprocesstocombinethetwologswasrepeated.
Wegenerated45differentattacksessionswith272webrequeststhatresultedin44,390datarequests.
Combiningthemtogetherwegot45uniqueattacksessionswith272eventvectors.
AtypicalanomaloussessioninthedatasetisrepresentedinFig.
5whichdepictsascenariowherethedeployedapplicationhasbeenmodiedbytakingcontrolofthewebserver.
Fig.
5RepresentationofanAnomalousSession4ExperimentsandResultsWeusedtheCRF++toolkit[17]andthewekatool[23]fortheexperiments.
Further,wedevelopedpythonandshellscriptsfordataformattingandimplementation.
We276KapilKumarGupta,BaikunthNath(Sr.
MIEEE)andKotagiriRamamohanaraoperformallexperimentstentimesbyrandomlyselectingtrainingandtestingdataandreporttheaverage.
Weuseexactlythesamesamplesforallthefourmethods.
Itmustbenotedthatmethodssuchasdecisiontrees,naiveBayesandsupportvectormachinesarenotdesignedforsequencelabeling.
However,forourpurposethesemethodscanbeappliedbytreatingthedataasrelationalratherthanconsideringthemassequences.
Toexperimentwiththesemethods,weconverteverysessiontoasinglerecordbyappendingsequentialeventsattheendofthepreviouseventandthenlabelingtheentiresessionaseithernormalorasattack.
Forthesupportvectormachinesweexperimentedwiththreekernels;poly-kernel,rbf-kernelandnormalized-poly-kernel,andvariedthevalueofcbetween1and100forallofthekernels[23].
Intheexperimentswevarythewindowsize'S'from1to20andana-lyzeitseffectontheattackdetectionaccuracy.
WindowofsizeS=1indicatesthatweconsideronlythecurrentrequestanddonotconsiderthehistorywhileawin-dowofsizeS=20showsthatasequenceof20eventsisanalyzedtoperformthelabeling.
Wereporttheresultsformeasuringtheeffectivenessofattackdetectionusingprecision,recallandF-measure.
However,duetospacelimitations,wedonotpresenttheresultsforefciency.
Nonetheless,theefciencyforoursystemwascomparabletothatofothermethods.
Veryoften,attackershidetheattackswithinnormalevents,makingattackdetec-tionverydifcult.
Wedenethedisguisedattackparameter,'p'asfollows:p=numberofAttackeventsnumberofNormalevents+numberofAttackeventswherenumberofAttackevents>0andnumberofNormalevents>=0Thevalueof'p'liesintherange(0,1].
Theattacksarenotdisguisedwhenp=1,sinceinthiscasethenumberofnormaleventsis0.
Asthevalueof'p'decreaseswhenthenumberofnormaleventsislarge,theattacksaredisguisedinalargenumberofnormalevents.
Inordertocreatedisguisedattackdata,weaddarandomnumberofattackeventsatrandomlocationsinindividualnormalsessionsandlabeltheeventsasattack.
Thisresultsinhidingtheattackswithinnormaleventssuchthattheattackdetectionbecomesdifcult.
Weperformexperimentstoreectthesescenariosbyvaryingthenumberofnormaleventsinanattacksessionsuchthat'p'between0to1.
4.
1ExperimentswithCleanData(p=1)Figure6showshowtheF-measurevaryasweincreasethewindowsize'S'from1to20forp=1.
Weobservethatconditionalrandomeldsandsupportvectormachinesperformsimilarlyandtheirattackdetectioncapability(F-measure)in-creases,slowlybutsteadily,asthenumberofsequentialeventsanalyzedtogetherinasessionincreases.
Thisshowsthatmodelingausersessionresultsinbetterattackdetectionaccuracycomparedtoanalyzingtheeventsindividually.
However,deci-siontreesandnaiveBayesperformpoorlyandhavelowF-measureregardlessofthewindowsize'S'.
UserSessionModelingforEffectiveApplicationIntrusionDetection277Fig.
6ComparisonofF-measure(p=1)4.
2ExperimentswithDisguisedAttackData(p=0.
60)Inordertotesttherobustnessofthemethods,weperformedexperimentswithdis-guisedattackdata.
Wecomparetheresultsforallthefourmethods(conditionalrandomelds,decisiontrees,naiveBayesandsupportvectormachines)inFig.
7wherewesetp=0.
60.
Weobservethattheconditionalrandomeldsperformsbest,outperformingallothermethodsandarerobustindetectingdisguisedattacks.
Theirattackdetectioncapabilityincreasesasthenumberofsequentialeventsanalyzedtogetherinasessionincreaseswiththewindowsize'S'.
Supportvectormachines,decisiontreesandthenaiveBayesdidnotperformwellwhentheattackdataisdisguisedinnormalevents.
Fig.
7ComparisonofF-measure(p=0.
60)Figures8,9,10and11representstheprecision,recallandF-measureforcon-ditionalrandomelds,decisiontrees,naiveBayesandsupportvectormachines.
Fig.
8ResultswithCondi-tionalRandomFields278KapilKumarGupta,BaikunthNath(Sr.
MIEEE)andKotagiriRamamohanaraoFig.
9ResultswithSupportVectorMachinesFig.
10ResultswithDecisionTreesFig.
11ResultswithNaiveBayesFigure8suggeststhatconditionalrandomeldshavehighF-measurewhichincreasessteadilyasthewindowsize'S'increases.
ThemaximumvalueforF-measureis0.
87atS=15.
Thissuggeststhatconditionalrandomeldgenerateslessfalsealarmsandthesystemperformsreliablyevenwhenattacksaredisguised.
Forsupportvectormachines,bestresultswereobtainedwithpoly-kernelandc=1andarereportedinFig.
9.
WeobservethatsupportvectormachineshavemoderateprecisionbutlowrecallandhencelowF-measure.
ThehighestvalueforF-measureis0.
82whenS=17.
Figure10representsthatdecisiontreeshaveverylowF-measuresuggestingthattheycannotbeeffectivelyusedfordetectinganomalousdataaccesswhentheattacksaredisguised.
Thedetectionaccuracyfordecisiontreesremainsfairlyconstantas'S'increases.
Thisisbecausethesizeofthedecisiontreeremainsconstantevenwhenthenumberoffeaturesincreasessincethegoalofbuildingadecisiontreeistobuildasmallesttreewithalargenumberofleafnodesresultinginbetterclassi-cation.
Hence,evenwhenweincreasethenumberoffeatures,thesizeofthetreedoesnotvaryandtheirattackdetectioncapabilitydoesnotimprove.
UserSessionModelingforEffectiveApplicationIntrusionDetection279ResultsfromFig.
11suggestthatnaiveBayeshavelowF-measurewhichuc-tuatesasthewindowsize'S'increases.
ThereislittleimprovementinF-measurewhichremainslow.
ThemaximumvalueforF-measureis0.
67atS=12suggestingthatasystembasedonnaiveBayesclassierisnotabletodetectattacksreliably.
4.
3Effectof'S'onAttackDetectionInmostsituations,wewant'S'tobesmallsincethecomplexityandtheamountofhistorythatneedstobemaintainedincreaseswith'S'andthesystemcannotrespondinrealtime.
Windowsizeof20andbeyondisoftenlargeresultingindelayedattackdetectionandhighcomputationcosts.
Hence,werestrict'S'to20.
Table1Effectof'S'onAttackDetectionwhenp=0.
60SizeofDecisionNaiveSupportConditionalWindowTreesBayesVectorRandom'S'MachinesFields10.
470.
610.
560.
6220.
470.
580.
660.
6630.
440.
610.
690.
6840.
470.
650.
710.
7950.
460.
640.
720.
7660.
440.
600.
690.
7670.
330.
610.
680.
8180.
470.
650.
740.
8190.
510.
650.
700.
80100.
480.
650.
750.
83110.
510.
660.
800.
84120.
410.
670.
750.
82130.
440.
650.
770.
84140.
470.
630.
740.
86150.
500.
660.
800.
87160.
500.
630.
770.
86170.
470.
650.
820.
86180.
510.
640.
780.
87190.
530.
640.
760.
86200.
560.
660.
810.
86Weobservethatconditionalrandomeldsperformbestandtheirattackdetectioncapabilityincreasesasthewindowsizeincreases.
Additionally,whenweincrease'S'beyond20(notshowninthegraphs),theattackdetectionaccuracyforcondi-tionalrandomeldsincreasessteadilyandthesystemachievesveryhighF-measurewhenweanalyzetheentiresessiontogether.
FromTable1,weobservethatdeci-siontreesanalyzes20eventstogethertoreachtheirbestperformancewhilecon-280KapilKumarGupta,BaikunthNath(Sr.
MIEEE)andKotagiriRamamohanaraoditionalrandomeldsachievesameperformancebyanalyzingonlyasingleevent(i.
e.
,S=1).
Similarly,naiveBayespeakedtheirperformanceatS=12whilecondi-tionalrandomeldsachievedthesameperformanceatS=3.
Finally,supportvectormachinesreachtheirbestperformanceatwindowsizeS=17whiletheconditionalrandomeldsachievethesameperformanceatS=10.
Hence,usingconditionalrandomeldsattackscanbedetectedwithhigheraccuracyatlowervaluesof'S'resultinginearlyattackdetectionandanefcientsystem.
4.
4Effectof'p'onAttackDetection(0osCommerce,OpenSourceOnlineShopE-CommerceSolutions.
Lastaccessed:January08,2008.
http://www.
oscommerce.
com/.
3.
M.
AlmgrenandU.
Lindqvist.
Application-IntegratedDataCollectionforSecurityMonitor-ing.
In4thInternationalSymposiumonRecentAdvancesinIntrusionDetection,pages22–36.
LNCS,Springer-Verlag,Vol(2212),2001.
4.
S.
Axelsson.
ResearchinIntrusion-DetectionSystems:ASurvey.
TechnicalReport98-17,DepartmentofComputerEngineering,ChalmersUniversityofTechnology,1998.
5.
R.
BaceandP.
Mell.
IntrusionDetectionSystems.
Gaithersburg,MD:ComputerSecurityDivision,InformationTechnologyLaboratory,NIST,2001.
UserSessionModelingforEffectiveApplicationIntrusionDetection2836.
E.
Bertino,A.
Kamra,E.
Terzi,andA.
Vakali.
IntrusionDetectioninRBAC-AdministeredDatabases.
In21stAnnualComputerSecurityApplicationsConference.
IEEE,2005.
7.
C.
Y.
Chung,M.
Gertz,andK.
Levitt.
DEMIDS:AMisuseDetectionSystemforDatabaseSystems.
In3rdInternationalIFIPTC-11WG11.
5WorkingConferenceonIntegrityandInternalControlinInformationSystems,pages159–178.
KluwerAcademicPub.
,1999.
8.
L.
Desmet,F.
Piessens,W.
Joosen,andP.
Verbaeten.
BridgingtheGapBetweenWebAppli-cationFirewallsandWebApplications.
In4thACMworkshoponFormalmethodsinsecurity,FMSE,pages67–77.
ACM,2006.
9.
H.
Dreger,A.
Feldmann,M.
Mai,V.
Paxson,andR.
Sommer.
DynamicApplication-LayerProtocolAnalysisforNetworkIntrusionDetection.
In15thUsenixSecuritySymposium,pages257–272,2006.
10.
K.
K.
Gupta,B.
Nath,andK.
Ramamohanarao.
ApplicationIntrusionDetectionDataset.
http://www.
csse.
unimelb.
edu.
au/kgupta.
11.
K.
K.
Gupta,B.
Nath,andK.
Ramamohanarao.
LayeredApproachusingConditionalRandomFieldsforIntrusionDetection.
IEEETransactionsonDependableandSecureComputing.
InPress.
12.
K.
K.
Gupta,B.
Nath,andK.
Ramamohanarao.
ConditionalRandomFieldsforIntrusionDetection.
In21stInternationalConferenceonAdvancedInformationNetworkingandAppli-cationsWorkshops,pages203–208.
IEEE,2007.
13.
K.
K.
Gupta,B.
Nath,K.
Ramamohanarao,andA.
Kazi.
AttackingCondentiality:AnAgentBasedApproach.
InIEEEInternationalConferenceonIntelligenceandSecurityInformatics,pages285–296.
LNCS,SpringerVerlag,Vol(3975),2006.
14.
Y.
HuandB.
Panda.
IdenticationofMaliciousTransactionsinDatabaseSystems.
In7thIn-ternationalDatabaseEngineeringandApplicationsSymposium,pages329–335.
IEEE,2003.
15.
Y.
HuandB.
Panda.
ADataMiningApproachforDatabaseIntrusionDetection.
InACMsymposiumonAppliedComputing,pages711–716.
ACM,2004.
16.
D.
KleinandC.
D.
Manning.
ConditionalStructureversusConditionalEstimationinNLPModels.
InACL-02ConferenceonEmpiricalmethodsinNaturalLanguageProcessingVol(10),pages9–16.
AssociationforComputationalLinguistics,Morristown,NJ,USA,2002.
17.
T.
Kudu.
CRF++:YetanotherCRFtoolkit.
Lastaccessed:February9,2008.
http://crfpp.
sourceforge.
net/.
18.
J.
Lafferty,A.
McCallum,andF.
Pereira.
ConditionalRandomFields:ProbabilisticModelsforSegmentingandLabelingSequenceData.
In18thInternationalConferenceonMachineLearning,pages282–289,2001.
19.
S.
Y.
Lee,W.
L.
Low,andP.
Y.
Wong.
LearningFingerprintsforaDatabaseIntrusionDetectionSystem.
In7thEuropeanSymposiumonResearchinComputerSecurity,Vol(2502),pages264–279.
LNCS,Springer-Verlag,2002.
20.
W.
L.
Low,J.
Lee,andP.
Teoh.
DIDAFIT:DetectingIntrusionsinDatabasesThroughFin-gerprintingTransactions.
In4thInternationalConferenceonEnterpriseInformationSystems,pages264–269,2002.
21.
A.
PatchaandJ.
-M.
Park.
AnOverviewofAnomalyDetectionTechniques:ExistingSolutionsandLatestTechnologicalTrends.
ComputerNetworks,51(12):3448–3470,2007.
22.
C.
SuttonandA.
McCallum.
AnIntroductiontoConditionalRandomFieldsforRelationalLearning.
InIntroductiontoStatisticalRelationalLearning.
MIT,2006.
23.
I.
H.
WittenandE.
Frank.
DataMining:Practicalmachinelearningtoolsandtechniques.
MorganKaufmann,2005.
24.
N.
Ye,X.
Li,Q.
Chen,S.
M.
Emran,andM.
Xu.
ProbabilisticTechniquesforIntrusionDetec-tionBasedonComputerAuditData.
IEEETransactionsonSystems,ManandCybernetics,PartA:SystemsandHumans,31(4):266–274,2001.
25.
Y.
ZhongandXiao-Lin-Qin.
ResearchonAlgorithmofUserQueryFrequentItemsetsMining.
In3rdInternationalConferenceonMachineLearningandCybernetics,Vol(3),pages1671–1676.
IEEE,2004.
26.
Y.
Zhong,Z.
Zhu,andX.
Qin.
AClusteringMethodBasedonDataQueriesandItsApplicationinDatabaseIntrusionDetection.
In4thInternationalConferenceonMachineLearningandCybernetics,Vol(4),pages2096–2101.
IEEE,2005.