Use of K-Nearest Neighbor Classifier for Intrusion Detection


V Rao Vemuri
University of California, Davis

Wednesday, October 23rd, 15-17, LUCAS room (4th floor)

Abstract

A new approach, based on the k-nearest neighbor (kNN) classifier, is used to
classify program behavior as normal and intrusive.  Program behavior, in
turn, is represented by frequencies of system calls. Data about system calls
is gathered over a session. Each system call is treated as a word and the
collection of calls over a session as a document. These documents are then
classified using kNN classifier, a popular method  in text categorization.
This method seems to offer some computational advantages over those that
seek to characterize "local" program behavior with individual program
profiles. Preliminary experiments with 1998 DARPA BSM audit data show that
the kNN classifier can effectively detect intrusive attacks and achieve a
very low false positive rate.  Timing and scaling properties of this method
are currently under investigation.

If time permits, I will also present some preliminary results from the use
of self-organizing maps to identify Distributed Denial of Service (DDOS)
attacks.

Brief Biography. Prof. Rao Vemuri received his early education in India and
his Ph. D. from the University of California, Los Angeles in 1968. He taught
at Purdue University, West Lafayette; State University of New York,
Binghamton and worked for RCA and TRW before joining University of
California, Davis.

His research and teaching interests are in the areas of artificial neural
nets, genetic algorithms and machine learning. He is currently on a  short
visit to Lund University. The goal of this visit is to identify
opportunities for bilateral exchange of (undergraduate and graduate) students
between the two universities. Short term faculty exchanges to foster better
cooperation across nations and cultures is also possible.