Content-Type: text/html R-LAIR: Riverside Lab for Artificial Intelligence Research


Computer Science and Engineering

R-LAIR: Riverside Lab for Artificial Intelligence Research

A Continuous Time Bayesian Network Approach for Intrusion Detection (2010)

by Jing Xu

Abstract: Network attacks on computers have become a fact of life for network administrators. Detecting attacks accurately is important to limit their scope and destruction. Intrusion de- tection systems (IDSs) fall into two high-level categories: network-based systems (NIDS) that monitor network behaviors, and host-based systems (HIDS) that monitor system calls. In this work, we present a general technique for both systems.

We consider the problem of detecting intrusions of the host level. We use anomaly de- tection, which identifies patterns not conforming to a historic norm. Our approach does not require expensive labeling or prior exposure to the attack type. In both types of systems, the rates of change vary dramatically over time (due to burstiness) and over components (due to service difference). To efficiently model such systems, we use continuous time Bayesian networks (CTBNs) and avoid specifying a fixed time interval. We build generative models from historic non-attack data, and flag future event sequences whose likelihood under this norm is below a threshold.

As a NIDS, our method differs from previous approaches in explicitly modeling tempo- ral dependencies in the network traffic. Our models are therefore more sensitive to subtle variations in the sequences of network events. We first construct a factored CTBN model for the network packet traces. We present two simple extensions to CTBNs that allow for instantaneous events that do not result in state changes, and simultaneous transitions of two variables. We then extend this model to a connected one. We construct it in a hierarchical way and use Rao-Blackwellized particle filtering for inference. We illustrate the power of our method through experiments on detecting real worms and identifying hosts on two publicly available network traces, the MAWI dataset and the LBNL dataset.

For HIDS, we develop a novel learning method to deal with the finite resolution of system log file time stamps, without losing the benefits of our continuous time model. We demon- strate the method by detecting intrusions in the DARPA 1998 BSM dataset.

Download Information

Jing Xu (2010). A Continuous Time Bayesian Network Approach for Intrusion Detection. Doctoral dissertation, University of California at Riverside. pdf      

Bibtex citation

   author = "Jing Xu",
   title = "A Continuous Time {B}ayesian Network Approach for Intrusion Detection"
   school = "University of California at Riverside",
   schoolabbr = "UC Riverside",
   year = 2010,
   month = Aug,

full list

More Information


University of California, Riverside
Chung Hall, room 368
Riverside, CA 92521


External Links