Temoral and Saal Dsrbued Even Correlaon for Nework Secury Guofe Jang, Member, IEEE and George Cybenko, Fellow, IEEE Absrac - Comuer neworks roduce large amoun of evenbased daa ha can be colleced for nework secury and managemen analyss. Comuer neworks are dynamc sysems and nework evens are he observable of her dynamc acves. Evdence of aacks agans a nework and s resources s ofen scaered among hese dsrbued evens. Therefore a crcal challenge s o correlae hese evens across observaon sace and me o deec varous aack scenaros. Ths aer analyzes how conrol and esmaon mehods can be aled o correlae dsrbued evens for nework secury. Based on hose mehods, a Process Query Sysem has been mlemened whch can scan and correlae dsrbued nework evens accordng o users hgh-level descron of dynamc rocesses. I. INTRODUCTION Comuer neworks roduce large amoun of even-based daa ha can be colleced for nework secury analyss. These daa nclude alers from frewalls and Inruson Deecon Sysems (IDS, log fles of varous sofware sysems, roung nformaon from he Inerne and so on. Nework evens are nsananeous occurrences of ceran yes of nework acvy a a on n me and locaon. If we regard comuer neworks as dynamc sysems, nework evens are he observable of her dynamc sae ransons. Gven he dsrbued naure of neworks, evdence of aacks agans a nework and s resources s ofen embedded whn he oaly of evens of he dsrbued sysems. Moreover, aacks agans a nework may also nvolve mulle ses so ha evdence of aacks s also ycally dsrbued over me as well. Wh large amoun of even daa orgnang from he dsrbued sysems n a nework, a crcal challenge s how o correlae hese evens across observaon sace and me o deec and rack varous aack scenaros. Many radonal IDS only use sngle even as he sgnaure o deec aacks, whch leads o hgh false alarm rae. I s essenal o exlo more evdence from large number of nework evens o ge beer deecon accuracy. In hs aer, we dscuss how conrol and esmaon Ths work was arally suored by: ARDA Gran F30602-03-C- 0248, DARPA roecs F30602-00-2-0585 and F30602-98-2-0107; Naonal Insue of Jusce, Dearmen of Jusce award number 2000-DT-CX-K001. Guofe Jang s wh he Insue for Secury Technology Sudes, Darmouh College, 45 Lyme Road, Sue 200, Hanover, NH 03755. (e-mal: gf@darmouh.edu. George Cybenko s wh he Thayer School of Engneerng, Darmouh College, 8000 Cummngs Hall, Hanover, NH 03755. (emal: gvc@darmouh.edu. mehods can be aled o correlae dsrbued evens for nework secury. For examle, Bayesan esmaon can be used o correlae evens across observaon sace whle Kalman Fler can be used o correlae evens along observaon me. Based on hese aroaches, we have develoed he noon of a Process Query Sysem (PQS and have mlemened a PQS n sofware, whch s able o scan and correlae dsrbued evens accordng o users hghlevel rocess descron. II. SCENARIO SIGNATURE A comuer nework consss of many comonens such as rouers, swches, web servers, mal servers, daabase servers, DNS servers, IDS and frewalls. A large nework lke he Inerne can have mllons of hese comonens. Moreover, comuer neworks are dynamc sysems and each me nerval hese comonens roduce large amoun of even-based daa. All hese evens can, n rncle, be colleced by nework daa analyss ceners. The race of an aack s ofen scaered n hese ad-hoc evens. Whou effcen correlaon algorhms, denfyng he race of an aack n hs large and nosy even sace s essenally nracable. Lke oher aern recognon roblems, an aack scenaro sgnaure (or aern s needed o dsngush he aack from oher aacks and normal nework acves. The deecon accuracy reles on he accuracy of scenaro sgnaure as well as he accuracy of colleced evens. Therefore, a crcal challenge s how o characerze varous aack scenaros. Fgure 1 llusraes how he evdence of an aack s dsrbued over sace and me. Based on cause-effec relaonsh, an aack could affec he evens of mulle observaon saces a he same me. For examle, comuer worms lke CodeRed and Nmda generae and scan random IP numbers o search for vulnerable arges n he IP sace. Snce many IP numbers are no assgned o or used by a nework, hs acve robng rocess could generae large volume of ICMP unreachable messages [1] n nework roung. The nensve worm roagaon rocess could also affec he laency of he Inerne. Moreover, s known ha a worm breakou could also lead o unsable Inerne Border Gaeway Proocol (BGP roung [2]. Based on causal relaonsh, here we have a leas hree ndeenden observaon saces o sense he worm breakou: he volume of ICMP unreachable messages, nework laency and BGP roung sably. Therefore, nsead of usng sngle even for worm deecon,
we can use hese hree ndcaors as a combned sgnaure o correlae evens saally and deec worm breakou. Fgure 1: Temoral and saal evdence dsrbuon of an aack Furhermore, an aack affecs evens across me as well. For examle, a comuer worm roagaes across he Inerne followng an edemc model and goes hrough mulle sages durng s lfeme: breakou; roagaon; and eradcaon. Durng hs dynamc rocess, he volume of ICMP unreachable message follows a emoral aern, whch can be used as a emoral sgnaure o deec he worm. In fac each observaon sace dscussed above could sense he worm s breakou ndeendenly wh s secfc emoral aern. Laer n hs aer, we wll use a rocess model o characerze he emoral sgnaure. Therefore emoral evens n each observaon sace can be correlaed wh a rocess model o deec aacks. As shown n Fgure 1, nsead of usng sngle even as he sgnaure, we can use a on scenaro sgnaure combned wh saal and emoral aerns o characerze and dsngush varous aacks. Wh more evdence exloed from he dsrbued evens, we beleve ha hs aroach should resul n beer deecon accuracy, esecally n a nosy nework envronmen. A challengng roblem s how o ge enough knowledge o buld exac sgnaures for varous aack scenaros. Manly here are wo aroaches o address hs ssue: One s o use exer knowledge o buld scenaro sgnaures, based on causaly analyss as dscussed above. Anoher s o use daa-mnng echnology [3] o exrac sgnaures from large amoun of ranng daa. Though hese echnologes are boh very moran for daa analyss, hs ssue s beyond he scoe of hs aer. Insead, gven a scenaro sgnaure, we analyze how dsrbued evens can be correlaed accordng o he sgnaure. III. SPATIAL-BASED CORRELATION Correlaon seed and accuracy are wo moran erformance asecs of even correlaon sysems. A classcal aroach o even correlaon s rule-based analyss. Tha s, a correlaon sysem consanly uses a se of redefned rules o evaluae ncomng observaons unl a concluson s reached. Therefore he correlaon ably deends solely on he deh and caably of he rule se. Large amoun of exer knowledge are requred o desgn correc rule ses. Followng he rgd ahs of rule ses, observaons may have o be checked agans numerous condonal logcs so ha rule-based sysems usually do no scale well. Meanwhle, rule-based sysems are nherenly saeless and do no handle dynamc daa correlaon very well. In he followng secons, we dscuss how conrol and esmaon mehods can be aled o mrove he seed and accuracy n even correlaon. Saal-based correlaon correlaes evens from mulle observaon saces or sensors a he same me o deec aack scenaros. Denoe an aack scenaro as s and assume we have a se of m aack scenaros S = { s 1,s 2,,s m }. Denoe an observaon sace as O and assume we have a se of n observaon saces O = { O 1,O 2,,O n }. Each observaon sace could be an ndeenden ndcaor of aack scenaros. Saal-based even correlaon s abou how o correlae n ndcaors o deec and dsngush hese m aack scenaros. A. Deermnsc Correlaon The codebook aroach [4] s a smle even correlaon aroach n nework managemen. The rncle of hs correlaon aroach s based on he causal relaonsh of evens. We beleve ha hs aroach can also be aled n nework nruson deecon. Fgure 2 llusraes a causaly grah wh hree aack scenaros and four observaon saces. The dreced edges n he fgure reresen causaly. For examle, f he aack s 1 occurs, causes abnormal observaons n O 1 and O 3. Conversely, hs aack doesn affec observaons n O 2 and O 4. Based on hese causal relaonshs, we can buld a codebook correlaon marx as shown n Table 1, where one and zero reresen abnormal and normal observaons classfed wh secfc hresholds. Therefore we can comare evens from mulle observaon saces wh he correlaon marx o deec and dsngush hese aacks. Every aack scenaro mus have a dsngushable scenaro sgnaure n hs correlaon marx. Exer knowledge s needed o buld he scenaro sgnaure and correlaon marx. The sze of he correlaon marx could be reduced bu scenaro sgnaures have o be a mnmum Hammng dsance aar n order o be dsngushable [4]. Fgure 2: A causaly grah S1 S2 S3 O1 1 0 0 O2 0 1 0 O3 1 1 0 O4 0 0 1 Table 1: Correlaon marx
Defne he correlaon marx as OS = { os } and os s an elemen of hs marx for 1 n and 1 m. In he codebook aroach, os = 1 or 0,.e. he observaons are u no wo caegores: abnormal or normal. Ths bnary reresenaon doesn gve much nformaon on he nensy of abnormal observaons. Insead, os could be a real value, such as he volume of ICMP unreachable messages or he number of a secfc sysem calls. In hs case, we beleve ha he correlaon roblem can be formulaed as he followng Ineger Programmng roblem: mn O OS H H Subec o: 1 n, m os = 1 h o ; h 0 and neger. (1 H = h 1,h 2,,h m. O s he observaon vecor from m observaon saces, Here H s he hyohess vecor, ( T ( o,o, T O = 1 2,o m. The above Ineger Programmng roblem s abou how o combne aack scenaros so ha he real observaons can be nerreed. For examle, ( 0, 110,,,, T H = 0 means ha aack scenaros s 2 and s 3 occurred a he same me. The codebook aroach canno deec such combnaon of aack scenaros. If we regard an observaon sace as a sgnal channel, he observed evens usually nclude boh sgnal from aacks and nose from nework envronmen. Our neger rogrammng aroach could deec mulle nsances of aack scenaros a he same me and work n he envronmen where he Sgnal/Nose rao of observaons s srong. Noneheless, exer knowledge s needed o ge os values and hese values have o be normalzed across varous aack scenaros. Ineger rogrammng algorhm has been well analyzed n many leraures. B. Probablsc Correlaon As we menoned above, deermnsc correlaon aroaches don work well n a nosy envronmen. Nework nose orgnaes from normal nework acves. For examle, a maor rouer falure could generae many ICMP unreachable messages; an aler of mulle logn falures could resul from a forgoen assword. The queson s how o deec aack scenaros based on based observaons? Denoe he observaon value of he observaon sace O as o and o V ( 1 n, where V s he whole se of ossble o value. Based on exer knowledge and sascs, assume ha we know he ror robables: ( o s Pr( O = o S s = = (2 for 1 m and 1 n. Tha s, he dsrbuon of observaon values caused by an aack s known. Accordng o Bayesan heorem, we can comue he oseror dsrbuon: ( s o ( s ( s o = (3 ( o Now he queson s how o correlae observaons from mulle observaon saces. Assume ha we have observaons from O and Q, we can have he on oseror robably: ( s o,q k (,q s ( s o k = (4 ( o,q k If observaon sace O and Q are ndeenden, ha s, evens n one observaon sace don cause evens n anoher and vse versa, Equaon (4 can be wren as: ( s o, q = k ( s o ( s qk ( s In fac, f we only wan o denfy he mos lkely aack ha causes he curren observaons, we can use he rgh sde of Equaon (6 o comare he lkelhood of dfferen aack scenaros: ( s o,q ( o,qk s ( s k =. (6 ( sl o,qk ( o,qk sl ( sl However, n mos case, robables lke ( s and ( s l are unknown and we have o assume ha hey have he same dsrbuon. Under hs assumon, he rao of he ror robables n Equaon (6 can be evaluaed agans a seleced hreshold o deermne he aack scenaro. Based on hs hreshold, Neyman-Pearson deecon heory [5] can be used o conclude he relaed false alarm rae and msdeecon rae. Sraghforwardly, f we ncrease he number of observaon saces, we can make he aack scenaros more dsngushable. Mul-level causal relaonshs of evens can be exressed wh Bayesan nework [6]. A Bayesan nework s a dreced acyclc grah n whch nodes are random varables and he edges ndcae ha he source exers drec causal nfluence on he desnaon. In a Bayesan nework, a on robably s facored no a se of condonal robables, whch can be comued sequenally along he causaly ah n he nework. Abouzakhar e.al.[7] have used a model of Bayesan neworks o deec Dsrbued Denal of Servce (DDOS aacks, for examle. Anoher aroach for saal correlaon s o use Demser-Shafer heory, whch can combne he belefs from mulle observaon saces. Probablsc correlaon can work well n nosy envronmens. However, s dffcul o ge he ror robables and condonal robables so ha hs aroach s no as feasble as deermnsc correlaon mehods n realy. IV. TEMPORAL-BASED CORRELATION In hs secon, we dscuss how dsrbued evens can be correlaed over observaon me o deec aack scenaros. Many aacks nvolve mulle ses and he evdence of (5
aacks s ofen scaered over evens n me. A comuer nework self s a dynamc sysem and nework evens are observable of s dynamc acvy. The emoral sgnaure of an aack or a normal nework behavor could be descrbed as a dynamc rocess, deermnsc or sochasc. A rocess model descrbes he sae ransons of an obec, whch evolves wh me accordng o secfc known laws. For examle, a rocess model can be descrbed wh a sae ranson equaon, a Markov model, a fne sae machne and so on. Sae s an moran conce n emoralbased correlaon. Temoral-based correlaon srves o correlae observed evens n me o deec aacks and can be formalzed as a arge-rackng roblem. Targe rackng algorhms from radar and sonar sgnal rocessng can be aled o emoral-based even correlaon. If he dynamc rocess of an aack s known, emoral-based correlaon could deec hs aack by rackng wheher he evens follow he rocess of he aack. Oherwse, f he rocess of normal nework behavor s known, emoral-based correlaon could deec unknown aacks by rackng wheher he evens follow he rocess of he normal nework behavor. Ths second aroach s named anomaly deecon n he nework secury leraure. A. Deermnsc Correlaon Much revous work uses a fne sae machne o descrbe he deermnsc rocess of an aack or a sofware behavor. Evens are evaluaed agans he sequence of sae ransons o deec aacks. Ilgun, Kemmerer and Porras [8] used sae ranson dagrams o denfy recsely he sages of a eneraon and resen only he crcal evens ha mus occur for he successful comleon of he eneraon. Kumar and Safford [9] used Colored Per- Nes o descrbe he emoral sgnaures of aacks. All hese aroaches modeled emoral sgnaures or eneraon rocesses of aacks. Conversely, much anomaly deecon works have modeled he rocess of normal sofware behavor or nework behavor o deec unknown aacks. Hofmeyr, Forres and Somaya [10] used a shor sequences of sysem calls execued by runnng rograms as a emoral sgnaure o deec abnormal sofware behavor. Ko [11] used aud logs o caure he behavor of a rogram, and used ha secfcaon as an oracle agans whch he behavor s checked. I s known ha eghy ercen of a rogram s execuon usually occurs n only 20 ercen of s code. The ho ahs n a rogram usually reresen he maor behavor of ha rogram. The frs aroach needs exer knowledge of aacks o buld he emoral sgnaure. The second aroach could buld he emoral sgnaure of sofware behavor auomacally based on a ranng rocess. However, he anomaly deecon aroach canno deec he ye of aacks. B. Probablsc Correlaon In deermnsc correlaon, he saes of a dynamc rocess are observed and racked whou nose. In a nosy envronmen, observaons are ofen aned by nework nose. Denoe he sae of a dynamc rocess as X and he observaon as O. Denoe he sae X u o me as x 1 : = x 1,x 2,, x and he relaed observaon O as o 1 = o 1,o 2,,. Snce several saes n a dynamc : o rocess could lead o a same observaon and here s nose, he sae self s unobservable and we can only esmae he sae based on observaons. A me, one ask of emoral-based correlaon s o correlae he observaons u o me o esmae he curren sae x,.e. Pr x o1. We can comue hs oseror robably ( : recursvely wh he Bayesan fler [12], ( x o ( x x ( x o dx, 1: = 1: ( o o1 : 1 = ( o x ( x o1: dx, ( o x ( x o1: ( x o1: ( o o1: =, (7 f he followng assumons abou he rocess hold: 1. he sae ranson of he rocess model has he Markovan roery,.e., he curren sae S s only deenden on revous sae S bu no any earler saes; 2. The observaon O s only deenden on he curren sae bu no any earler saes and observaons. Lnear Kalman Fler [13] models and Hdden Markov Models (HMM [14] are wo owerful models ha sasfy hese wo assumons. Effcen correlaon algorhms such as Kalman Fler and Verb algorhm [14] can be derved from Equaon (7 for hese secfc models. The lnear model used n he Kalman Fler can be descrbed by he followng equaons: x +1 = D x + w (8 o = H x + v (9 where w and v are Gaussan nose, D and H are consan marces. Kalman fler uses observed o 1 : o esmae he underlyng unknown x. In dscree case, hdden Markov model uses a sae ranson marx and an emsson marx o relace Equaon (8 and (9, resecvely. Denoe an aack scenaro as s and assume we have a se of m aack rocess models S { s,s, } = 1 2,s m. The deecon roblem here s o deermne whch aack s generang hese observaons o 1 : = o 1,o 2,, o. Based on our early analyss on he Equaon (6, we can comare he lkelhood ( o 1 : s of varous aack scenaros and denfy he aack wh he followng nequales: (o1 : s B < r = < A, (10 (o1 : sk where A and B are wo hresholds. If he rao r s bgger han A, we conclude ha he aack s s. Conversely, f r s smaller han B, we conclude ha he S
aack s s k. If r s smaller han A bu bgger han B, we connue o receve new observaons unl he rao asses across he hreshold A or B. Though he robably ( o 1 : s can be recursvely comued and derved from Equaon (7, n mos case, we don know s analycal form of robably dsrbuon (For examle, how o comue ( o 1 : s was referred as Problem 1 of HMM n [14]. Therefore we canno use Neyman-Pearson deecon heory o conclude he relaed false alarm rae and msdeecon rae. Denoe he false alarm rae as α = s= s ( r > A,.e. he aack s s k k bu he rao r s bgger han A. Smlarly denoe he msdeecon rae as β = s= s ( r < B. Based on he resul of sequenal analyss [15], we can have he followng nequales: 1 β Aα and β ( 1 α B. Boh he Kalman Fler lnear model and HMM have been aled o model he dynamc rocess of aacks or normal sofware behavors. Based on edemc models and observaons daa of a fas-sreadng worm, Zou e.al.[16] use a lnear model o descrbe he dynamc rocess of worm roagaon and deloy a Kalman Fler o redc worm roagaon n real-me. Warrender and Forres [17] use ranng daa o learn a HMM o reresen normal sofware behavor. However, usually s dffcul o ge accurae arameers for hese models and we are develong nonaramerc weak models and algorhms for emoralbased even correlaon [18]. V. JOINT TEMPORAL and SPATIAL CORRELATION As menoned n Secon II, evdence of aacks agans a nework are scaered over evens across observaon sace and me. As llusraed n Fgure 3, s moran o negrae saal and emoral even correlaon ogeher for nruson deecon. Assume ha an aack rocess can be observed n hree observaon saces. Each observaon sace can correlae s evens along he me wh a rocess model. A each me, he evens from hese hree observaon saces should be correlaed saally. There are several aroaches o negrae he emoral and saal correlaon mehods. Fgure 3: Temoral and saal correlaon A. Deermnsc Correlaon As shown n Fgure 3, mulle observaon saces can correlae her emoral evens along he me ndeendenly. The resul of each emoral correlaon could ndcae normal or abnormal behavor of ha secfc observaon sace. Wh he resuls from mulle observaon saces, a codebook or Ineger Programmng aroach can be used o correlae hese resuls from emoral correlaon saally as descrbed n Secon III. Several saes n a dynamc rocess could lead o a same observaon. Therefore he hdden sae underlyng an observaon s unobservable. For examle, HMM has an emsson marx. In emoral-based correlaon, a sequence of observaons could orgnae from many hyoheses of he hdden sae sequences. Wh mulle observaon saces, a each me, we can use a codebook aroach o dsngush hdden saes nsead of aack scenaros. Theorecally as long as we add enough observaon saces wh dsngushable feaures n he correlaon marx as shown n Table 1, we can make each sae observable. In hs case, a emoral correlaon rocess can drecly ma a sequence of observaons o a sequence of saes. However, n mos case, we don need o dsngush each sae for every observaon snce we can conclude he sequence of hdden saes based on he sae ranson roery of he rocess model [18]. Currenly we are develong heory o address how o confgure observaon saces o make hyohess sze manageable (no exonenal. B. Probablsc Correlaon Denoe he sae of a dynamc aack rocess as X. Denoe he sae X u o me as x 1,x 2,,x. Assume ha we have wo observaon saces O and Q o deec hs aack rocess. Denoe he observaons of O u o me as o 1 : = ( o 1,o 2,, o and he observaons of Q u o me as q 1 : = ( q 1,q 2,, q. A each me, saal and emoral evens can be correlaed ogeher f we have he oseror robably ( s o1 :, q1:. However, accordng o Equaon (4 and (7, usually s very dffcul o comue he on robables. Bu f he wo observaon saces are ndeenden, we can comue ( s o1 :, q1: wh he followng hree ses: Se 1: A each me, for each observaon sace, accordng o Equaon (7, we correlae emoral evens and comue ( s o 1 : and ( s q 1 :, resecvely. Se 2: Accordng o Equaon (5, we correlae saal evens and comue ( s o1 :, q1: wh ( s o 1 : and ( s q 1 : from Se 1. ( s can be recursvely comued. Se 3: ( s o1 :, q1: relaces ( s o 1 : and ( s q 1 :. = + 1 and go o Se 1. Theorecally even f he observaon saces O and Q are deenden, we can add anoher dmenson o he measuremen equaon n (9 and correlae evens by one emoral correlaon rocess,.e.
Fgure 4: The archecure of PQS o v1 = H x + (11 r v2 In dscree case, as we dscussed n subsecon A, mulle observaon saces could hel o dsngush hdden saes and lead o a sarser emsson marx n HMM. For deecon roblem, we can use he same aroach as we dscussed n nequaly (10. Wh more evdence exloed from dsrbued evens, we would exec ha a on sgnaure wh emoral and saal aerns should lead o a beer deecon accuracy and a lower false-alarm rae. The challenge of hs aroach s ha we need enough knowledge o buld he on sgnaure. Currenly we are develong en yes of sensors and welve aack scenaros o verfy he roosed conce here. These sensors nclude Inerne-based, local neworkbased and hos-based sensors. VI. PROCESS QUERY SYSTEM A Process Query Sysem (PQS has been mlemened usng hese correlaon mehods o scan and correlae dsrbued evens. The PQS sysem allows users o fne rocess sgnaures a a hgh level of absracon and subm he sgnaures as queres o he correlaon sysem. The sysem scans and correlaes dsrbued evens accordng o he sgnaures n real me. Our curren PQS only suors emoral-based correlaon. As shown n Fgure 4, he PQS consss of hree maor comonens: User Inerface, TRAFEN correlaon engne and Message Orened Mddleware (MOM. Nework evens are ublshed no a MOM wh secfc ocs such as Nework Laency. Wh a fron-end user nerface, users can defne a rocess sgnaure wh hgh-level absracon such as a HMM. The rocess sgnaure and he ocs of even subscron are submed o he back-end TRAFEN correlaon engne. TRAFEN engne arses he query and subscrbes evens from MOM wh user-secfed ocs. Then MHT algorhms are nvoked wh userdefned rocess models o scan and correlae ncomng evens. Durng even correlaon, MHT algorhms recursvely calculae he robably of how lkely he new even s assocaed wh exsng hyoheses. The new even s added no he hyohess wh he maxmum lkelhood and he se of hyoheses are udaed. The submed rocess model s used o comue he condonal robably of how lkely a new even s assocaed wh he exsng hyoheses. Based on ICMP unreachable messages colleced from several rouers, our PQS has been successfully used for Inerne worm deecon [19]. However, he curren PQS mlemenaon only suors emoral-based even correlaon. In fuure work, he emoral and saal even correlaon echnology analyzed n hs aer wll be mlemened n he nex verson of PQS. REFERENCES [1] Vnce Berk, Rober Gray and George Bakos, Usng sensor neworks and daa fuson for early deecon of acve worms, Proc. of 2003 SPIE Aerosense Conference, Orlando, FL, Arl, 2003. [2] James Cowe, Andy T. Ogelsk, BJ Premore and Yougu Yuan, Inerne worms and global roung nsables, Proceedngs of SPIE, Vol. #4868, July/Augus 2002. [3] Herber A. Edelsen, Inroducon o Daa Mnng and Knowledge Dscovery, Two Crows Cororaon, 1999. [4] S. A. Yemn, S. Klger, E. Mozes, Y. Yemn and D. Ohse, Hgh seed and robus even correlaon, IEEE Communcaons Magazne, May, 1996. [5] Vncen Poor, An Inroducon o Sgnal Deecon and Esmaon, Srnger-Verlag, 1994. [6] C. Howson and P. Urbach, Scenfc Reasonng: he Bayesan Aroach, Oen Cour Publshng Comany, La Salle, 1989. [7] N.S. Abouzakhar and A. Gan e.al., bayesan leanng neworks aroach o cybercrme deecon, PGNe 2003, June 16-17, 2003, Lverool, UK. [8] Koral Ilgun, Rchard A. Kemmerer and Phll A. Porras, Sae ranson analyss: a rule-based nruson deecon aroach, IEEE Trans. On Sofware Engneerng, Vol. 21, No.3, March, 1995. [9] Sandee Kumar and Eugene H. Safford, A aern-machng model for nsruson deecon, n Proceedngs of he Naonal Comuer Secury Conference,. 11-21, Oc. 1994. [10] S. Hofmeyr, S. Forres, and A. Somaya "Inruson deecon usng sequences of sysem calls." Journal of Comuer Secury, Vol. 6,. 151-180, 1998. [11] C.C.W. Ko, Execuon Monorng of Secury-Crcal Programs n a Dsrbued Sysem: A Secfcaon-Based Aroach, Ph.D. Thess, Unversy of Calforna a Davs, Augus 1996 [12] Lawrence D. Sone, Carl A. Barlow, and Thomas L. Corwn, Bayesan Mulle Targe Trackng, Arech House, Norwood, MA, 1999. [13] R.E. Kalman, A new aroach o lnear flerng and redcon roblems, J. Basc Emg., vol. 82-D, 1969. [14] Lawrence R. Rabner, A uoral on hdden markov models and seleced alcaons n seech recognon, Proceedngs of The IEEE, Vol. 77, No. 2, February 1989. [15] A. Wald, Sequenal Analyss, John Wley & Sons, 1947. [16] Clff Changchun Zou, Lxn Gao, Webo Gong, and Don Towsley. "Monorng and early warnng for nerne worms", 10h ACM Conference on Comuer and Communcaon Secury (CCS'03, Oc. 27-31, WashngonDC, USA, 2003. [17] B.P.C. Warrender, S. Forres, Deecng nruson usng sysem calls: alernave daa models, 1999 IEEE Symosum on Secury and Prvacy,1999. [18] Guofe Jang, Weak model for robus rocess deecon, SPIE Symosum on Defence and Secury, Florda, Arl, 2004. [19] Vnce Berk and Wayne Chung e.al., Process query sysem for survellance and awareness, 7h World Mul-conference on Sysemcs, Cybernecs and Informacs (SCI2003, July 27-39, Orlando, FL, 2003.