Focus on Research
Penn State Intercom......June 6, 2002

Methods of detecting computer
network intruders rated

By Barbara Hale
Public Information RESEARCHÜChu

A team of Penn State and Iowa State researchers has tested and rated three "smart" classification methods capable of detecting the telltale patterns of entry and misuse left by the typical computer network intruder and found that one, called "rough sets," currently overlooked by the industry, is the best.

The researchers report that computer security breaches have risen significantly in the last three years. In February 2000, Yahoo, Amazon, E-Bay and E-Trade were shut down due to denial-of-service attacks on their Web servers. The U.S. General Accounting Office (GAO) reports that about 250,000 break-ins into federal computer systems were attempted in one year and 64 percent were successful. The number of attacks is doubling every year and the GAO estimates that only 1 percent to 4 percent of these attacks will be detected and only about 1 percent will be reported.

Chao-Hsien Chu, associate professor of information sciences and technology and of management science and information systems at Penn State, began the study when he was on the faculty at Iowa State University. His Iowa State co-researchers are Dan Zhu, assistant professor of management information systems, and G. Premkumar, associate professor of management information systems; and Xiaoning Zhang, Chu's former master's student.

"No network security system or firewall can ever be completely foolproof," Chu said. "So there is always a need for a 'watchdog' to patrol the network and signal when an intrusion occurs. Commercially available 'watchdog' systems depend on traditional statistical techniques. However, the newer 'smart' methods promise to have a significant impact on accuracy."

Even the cleverest intruder leaves electronic footprints on breaking and entering a secure computer data network such as bank, medical or credit records. The new "smart" methods can collect information from a variety of sources within the network, "learn" the patterns typical of a perpetrator trying to gain a level of control similar to that of the people who legitimately operate the network, and make a reasoned prediction about whether the pattern represents intrusion or not.

The team focused on three "smart" approaches, known as data mining techniques, namely: neural nets, inductive learning and rough sets. All three data mining techniques can collect information, "learn" and make reasoned predictions.

Neural nets and inductive learning have previously been used in intrusion detection and research by others has found these methods to be successful and effective. Chu noted that rough sets, a relatively new approach, has not been applied to intrusion detection. The researchers said their study is the first to evaluate and compare multiple data mining methods, including rough sets, in the intrusion detection context.

The researchers reported that the rough sets method does not require any preliminary or additional information about the data and can work with missing values and less expensive or alternative sets of measurements. The method can work with imprecise values where a pair of lower and upper approximations replaces imprecise or uncertain data. It is also able to discover important facts hidden in the data and express them in the natural language of decision rules.

A powerful method for characterizing complex, multidimensional patterns, rough sets has been successfully applied in knowledge acquisition, forecasting and predictive modeling, and decision support.

In their study, the team used data from the privileged program sendmail, a program in use in virtually every Unix site that has e-mail.

The average classification accuracy rate for the three programs was as follows: rough sets 75.68 percent accurate; neural nets 69.78 percent accurate; and inductive learning 51.16 percent accurate.

In addition, the team found that training the programs on equal amounts of normal and abnormal sequences leads to better learning and a more accurate classification. Whether the data was represented as binaries or as integers, (neural nets cannot use both), did not significantly affect performance.


Barbara Hale can be reached at bah@psu.edu.

FROM THE EXPERTS

Tree advice drives home importance
of care, inspection

When it comes to buying trees, a University horticulturist suggests consumers treat a tree purchase with the same care they would use when buying a new car -- after all, chances are the tree will be around longer than the car.

"While an ornamental tree is nowhere near the price of a new car, you can save time, money and frustration by making sure your new tree is top quality," said J. Robert Nuss, professor emeritus of ornamental horticulture in the College of Agricultural Sciences.

Nuss suggested inspecting the tree's general appearance first. The trunk should be reasonably straight and the crown of the tree should be symmetrical. "When you closely examine the crown, no branches should extend from the trunk at angles less than 45 degrees," Nuss explained. "Narrow branch angles can cause structural problems as the tree grows."

Close observation of the tree's trunk can reveal problem areas that are easily recognizable, even to the greenest of gardeners. He suggests shoppers look for:

* Damage. Check for signs of cuts, scrapes or recent pruning. "A wound that is more than a quarter of the trunk's circumference is too large and can affect future health."

* Flaws. Look for areas that are discolored, sunken or swollen, all of which indicate problems beneath the bark.

* Borer damage. "Check for small circular holes in the bark," Nuss said.

* Cracks. Frost damage can result in shallow cracks in the bark.

Nuss offers some general guidelines to estimate tree growth and health:

* A trunk diameter of 11Ž2 inches translates to a tree between 9 and 13 feet tall. The root ball should be at least 20 inches in diameter.

* A trunk diameter of 2 inches translates to a tree between 13 and 15 feet tall. The root ball should be at least 24 inches in diameter.

* A 3-inch trunk diameter should be found on a tree between 14 and 16 feet tall. The root ball should be at least 32 inches in diameter.

* The size of the root ball should be roughly proportional to the crown, or area of branch spread, of the tree. "If the root ball is too small, it may not have enough roots to establish the tree," he said.

"Once you buy the tree, it's important to care for it," Nuss said. "Plant it as soon as you get home. If that's not possible, make sure to keep the root ball out of the sun and keep the burlap moist."

Back