Intrusion Detection System for Classifying User Behavior

Abstract: Nowaday, we use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Not only for personal use, computers and network of computers become crucial parts of companies, organizations, governments. A lot of important information is stored in computers and transfered across networks and the Internet. Unauthorized users break into systems to have access to private information. This brings the need of a system that can detect and prevent those harmful activities. Intrusion detection systems (IDSs) monitor networks and/or systems to detect malicious activities. That helps us to re-act and stop intruders. There are two types of IDSs, network-based IDSs and host-based IDSs. A network-based IDS monitors network traffic and activities to find attacks, and a host-based IDS monitors activities in a computer system to detect malicious actions. This thesis is a research on using machine learning techniques in implementing a host-based IDS that can tell us a computer process is normal (harmless) or abnormal (harmful). Three machine learning techniques are applied to Basic Security Module (BSM) log files of a Solaris system. Data sets used in experiments are from DARPA Intrusion Detection Evaluation 1998. The research provides some ways to apply Support Vector Machines, k-Nearest Neighbors and Hidden Markov Models to an IDS, and compares performances of these three methods