Modelling and solving the intrusion detection problem in computer networks

We introduce a novel anomaly intrusion detection method based on a Within-Class Dissimilarity, WCD. This approach functions by using an appropriate metric WCD to measure the distance between an unknown user and a known user defined respectively by their profile vectors. First of all, each user performs a set of commands (events) on a given system (Unix for example). The events vector of a given user profile is a binary vector, such that an element of this vector is equal to “1” if an event happens, and to “0” otherwise. In addition to this, each user's class k has a typical profile defined by the vector P_k, in order to test if a new user i defined by its profile vector P_i belongs to the same class k or not. The P_k vector is a weighted events vector E_k, such that each weight represents the number of occurrences of an event e_k. If the “distance” d_ki (measured by a dissimilarity parameter) between an unknown profile P_i and a known profile P_k is reasonable according to a given threshold and to some constraints, then there is no intrusion. Else, the user i is suspicious. A simple example illustrates the WCD procedure. A survey of intrusion detection methods is presented.Our proposed method based on clustering users and using simple statistical formulas is very easy for implementation.