在我們的日常生活中，人們的活動離不開電子社群、網站的環境。許多的活動依賴著網路的服務，例如：尋找附近的咖啡店、線上付款、甚至於安排日常所需的活動。然而許多的網路服務需要對使用者進行身分與權限的驗證。在網路環境中，非法的使用者會透過網路攻擊竊取使用者的資料；在個人主機端，沒有權限登入的使用者也許會透過方式進而取得資料，然而這不是我們所樂見的。我們提出一套機制只須透過使用者使用電腦的設定檔就能夠達到自動驗證的效果。
我們將討論兩種型態下的電腦使用方式：網路端使用行為與個人端使用行為。提出的方法可以監測網路端與個人端的資料，取得使用者的設定檔，進而決定使用者的身分。在網路環境下，使用者也許會透過網路取得寶貴的資料。為了避免網路上的攻擊，我們通常採用入侵偵測系統來加強網路安全。具體來說，入侵偵測系統會產生警報序列，我們希望可以辨識出是否這些警報序列中是否含有惡意的行為。然而，入侵偵測系統會產生大量的假警報資料，造成資訊人員處理上的困難。在個人端，使用者在工作上也許會執行例如：編譯Java程式、瀏覽網頁或玩線上遊戲等程序。因此，在這個部份透過程序序列的使用者設定檔來達到分辨使用者身份。
在資料輸入部分不論是警報序列或是程序序列都是一種型態的序列資料。不同於其他的序列資料，處理網路或個人端的序列資料也許會遭遇一些困難。不同使用者產生的序列資料會造成交錯的現象，而資料也許會有雜訊產生，進而造成使用者設定檔難以描述。因此，我們提出一種驗證的方式，藉由從警報序列或程序序列萃取出行為。
我們使用圖形來描述序列資料中的某些意圖行為，利用馬可夫鏈模型描述行為間的因果關係，並利用圖形來呈現使用者行為。為了分辨兩類的行為，我們透過圖形的不相似量測求出行為間的距離。最後，使用流型學習的方式於新的維度空間中重新表示這些行為，並分辨出惡意的行為與未授權的資料存取行為。
在實驗中，我們的方法在維持低的誤測(false positives)下，可以獲得高的偵測準確度。

Part of our lives exist in an electronic community. Many of our
activities rely on web services like searching for coffee shops, paying money
to banks, even scheduling our daily activities. Many of the services need a
veri cation process to confirm our identity and user privilege. In network,
unlawful users may issue attacks to steal information through the Internet.
The verification step can help us to distinguish between the lawful users
and intruders. In a host, user without enough privilege may gain access
to data they are not supposed to see. We propose a mechanism to allow
automatic verification given nothing but user computer usage profile.
We discuss two types of computer usages: network usage and host
usage. The proposed method can monitor the network or host data for
user profiling and to decide the user identity. In network environment,
the user may use web to obtain valuable information. To avoid network
attacks, we usually adopt Intrusion detection systems (IDS) to enhance
network security. More specifically, given alert sequences generated by
IDS, we would like to spot the subsequences with malicious behavior. The
challenge in this case is to filter out the false alarms in the alert sequences.
In a host, users may run processes for their tasks like compiling Java codes,
surfing the web, or playing online games. In this case, the input is process
sequence and our goal is to distinguish user identities with different user
profiles.
The input like alert sequences or process sequences is one kind of
sequential data. Different from other sequential data, to deal with the
network or host sequential data, we may encounter some difficulties. The
subsequences generated from different users with different intentions may
interleave with each other. Also, the data may be noisy so that the typical
user profile is hard to describe. Here, we propose an approach for verification
based on the behaviors extracted from the event sequence like alert
sequence or process sequence.
We use graph to describe a subsequence with certain intention. The
graph is built by a Markov Chain model with sliding window to describe
the behavior from the sequence. To distinguish between two behaviors, we
propose a graph-based dissimilarity measure. Finally, we use the manifold
learning to represent the behaviors and to detect the malicious behavior or
the unauthorized access. The experiment results show that the proposed
method can reach high detection accuracy while maintaining low false
positives.

[1] M. Bicego, U. Castellani, and V. Murino. Using Hidden Markov
Models and wavelets for face recognition. 2003.
[2] C.J.C. Burges. A tutorial on support vector machines for pattern
recognition. Data mining and knowledge discovery, 2(2):121–167,
1998.
[3] F. Cuppens and R. Ortalo. LAMBDA: A Language to Model a
Database for Detection of Attacks. In Recent advances in intru-
sion detection: third international workshop, RAID 2000, Toulouse,
France, October 2-4, 2000: proceedings, page 197. Springer Verlag,
2000.
[4] O. Dain and R.K. Cunningham. Fusing a heterogeneous alert stream
into scenarios. Applications of Data Mining and Computer Security,
2002.
[5] H. Debar and A.Wespi. Aggregation and correlation of intrusiondetection
alerts. In Recent Advances in Intrusion Detection, LNCS
2212, pages 85–103, 2001.
[6] A. Miege F. Cuppens. Alert correlation in a cooperative intrusion
detection framework. In Proceedings of the 2002 IEEE Symposium
on Security and Privacy, May 2002.
[7] T. Hughes and O. Sheyner. Attack scenario graphs for computer
network threat analysis and prediction. Complexity, 9(2):15–18, 2003.
[8] B.H. Juang and L.R. Rabiner. Hidden Markov models for speech
recognition. Technometrics, 33(3):251–272, 1991.
[9] K. Julisch. Clustering intrusion detection alarms to support root
cause analysis. ACM Transactions on Information and System Secu-
rity (TISSEC), 6(4):471, 2003.
[10] MIT Lincoln Lab. 1999 darpa intrusion detection evaluation
data set. http://www.ll.mit.edu/mission/communications
/ist/corpora/ideval/data/1999data.html, 1999.
58
[11] Y.J. Lee and O.L. Mangasarian. SSVM: A smooth support vector
machine for classification. Computational optimization and Applica-
tions, 20(1):5–22, 2001.
[12] Microsoft. Msdn library. http://msdn.microsoft.com/enus/
default.aspx.
[13] A.V. Nefian and M.H. Hayes. Hidden Markov models for face recognition.
In IEEE International Conference on Acoustics Speech and
Signal Processing, volume 5. Citeseer, 1998.
[14] P. Ning and Y. Cui. An intrusion alert correlator based on prerequisites
of intrusions. 2002.
[15] P. Ning, Y. Cui, D.S. Reeves, and D. Xu. Techniques and tools for
analyzing intrusion alerts. ACM Transactions on Information and
System Security (TISSEC), 7(2):318, 2004.
[16] S. Noel and S. Jajodia. Optimal IDS sensor placement and alert
prioritization using attack graphs. Journal of Network and Systems
Management, 16(3):259–275, 2008.
[17] S. Jha R. Lippmann O. Sheyner, J. Haines and J.M. Wing. Automated
generation and analysis of attack graphs. In Proceedings of
IEEE Symposium on Security and Privacy, May 2002.
[18] H. Othman and T. Aboulnasr. Low complexity 2-d hidden markov
model for face recognition. In PROC IEEE INT SYMP CIRCUITS
SYST, volume 5, 2000.
[19] Y. Cui P. Ning and D. S Reeves. Constructing attack scenarios
through correlation of intrusion alerts. In Proceedings of the 9th ACM
Conference on Computer and Communications Security (to appear),
Washington, D.C., November 2002.
[20] L.R. Rabiner. A tutorial on hidden Markov models and selected applications
inspeech recognition. Proceedings of the IEEE, 77(2):257–286,
1989.
[21] RW Ritchey, P. Ammann, A. Booz, H. Inc, and F. Church. Using
model checking to analyze network vulnerabilities. In 2000 IEEE
Symposium on Security and Privacy, 2000. S&P 2000. Proceedings,
pages 156–165, 2000.
[22] O. Sheyner S. Jha and J.M. Wing. Two formal analyses of attack
graphs. In Proceedings of the 15th Computer Security Foundation
Workshop (To appear), June 2002.
[23] D. Saha. Extending logical attack graphs for efficient vulnerability
analysis. In Proceedings of the 15th ACM conference on Computer
and communications security, pages 63–74. ACM, 2008.
59
[24] O.M. Sheyner. Scenario graphs and attack graphs. PhD thesis, Citeseer,
2004.
[25] S. Staniford, J.A. Hoagland, and J.M. McAlerney. Practical automated
detection of stealthy portscans. Journal of Computer Security,
10(1):105–136, 2002.
[26] S.J. Templeton and K. Levitt. A requires/provides model for computer
attacks. In Proceedings of the 2000 workshop on New security
paradigms, pages 31–38. ACM, 2001.
[27] J.B. Tenenbaum, V. Silva, and J.C. Langford. A global geometric
framework for nonlinear dimensionality reduction. Science,
290(5500):2319, 2000.
[28] A. VALDES and K. SKINNER. Probabilistic alert correlation. Lec-
ture notes in computer science, pages 54–68, 2001.
[29] L. Von Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA:
Using hard AI problems for security. Advances in CryptologyXEU-
ROCRYPT 2003, pages 646–646, 2003.
[30] L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia. An attack
graph-based probabilistic security metric. Data and Applications Se-
curity XXII, pages 283–296, 2008.
[31] B. Zhu and A.A. Ghorbani. Alert correlation for extracting attack
strategies. International Journal of Network Security, 3(3):244–258,
2006.