Multivariate statistical analysis of audit trails for host-based intrusion detection

Intrusion detection complements prevention mehcanisms, such as firewalls, cryptography, and authentication, to capture intrusions into an information system while they are acting on the information system. Our study investigates a multivariate quality control technique to detect intrusions by building a long-term profile of normal activities in information systems (norm profile) and using the norm profile to detect anomalies. The multivariate quality control technique is based on Hotelling's T-2 test that detects both counterrelationship anomalies and mean-shift anomalies. The performance of the Hotelling's T-2 test is examined on two sets of computer audit data: a small data set and a large multiday data set. Both data sets contain sessions of normal and intrusive activities. For the small data set, the Hotelling's T-2 test signals all the intrusion sessions and produces no false alarms for the normal sessions. For the large data set, the Hotelling's T-2 test signals 92 percent of the intrusion sessions while producing no false alarms for the normal sessions. The performance of the Hotelling's T-2 test is also compared with the performance of a more scalable multivariate technique-a chi-squared distance test.