Statistical Process Control for computer intrusion detection

This paper describes the architecture of a distributed, host-based Intrusion Detection System (IDS) that we have developed at the Information and Systems Assurance Laboratory (ISA), Arizona State University. Hence, we refer to this system as ISA-IDS. ISA-IDS is developed based on Statistical Process Control (SPC). In ISA-IDS we employ two intrusion detection techniques. One is an anomaly detection technique called Chi-square. Another is a misuse detection technique called Clustering. Each technique determines an Intrusion Warning (IW) level for each audit event. The IW levels from different intrusion detection techniques are then combined using a fusion technique into a composite IW level, 0 for normal, I for intrusive, and any value in between to signify the intrusiveness. In this paper we also present the intrusion detection performance of Chi-square and Clustering techniques.