Detecting intrusion with rule-based integration of multiple models

Sang Jun Han, Sung Bae Cho

Research output: Contribution to journalComment/debatepeer-review

41 Citations (Scopus)


As the information technology grows interests in the intrusion detection system (IDS), which detects unauthorized usage, misuse by a local user and modification of important data, has been raised. In the field of anomaly-based IDS several data mining techniques such as hidden Markov model (HMM), artificial neural network, statistical techniques and expert systems are used to model network packets, system call audit data, etc. However, there are undetectable intrusion types for each measure and modeling method because each intrusion type makes anomalies at individual measure. To overcome this drawback of single-measure anomaly detector, this paper proposes a multiple-measure intrusion detection method. We measure normal behavior by systems calls, resource usage and file access events and build up profiles for normal behavior with hidden Markov model, statistical method and rule-base method, which are integrated with a rule-based approach. Experimental results with real data clearly demonstrate the effectiveness of the proposed method that has significantly low false-positive error rate against various types of intrusion.

Original languageEnglish
Pages (from-to)613-623
Number of pages11
JournalComputers and Security
Issue number7
Publication statusPublished - 2003

Bibliographical note

Funding Information:
This research was supported by University IT Research Center Project.

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Law


Dive into the research topics of 'Detecting intrusion with rule-based integration of multiple models'. Together they form a unique fingerprint.

Cite this