SYNOPSIS:

Researchers recently have begun to develop intrusion-detection systems that detect potential and actual computer system intruders. These systems build and analyze profiles of expected user behavior, which are then compared to actual patterns to ascertain if a user is behaving as expected.

Some of the previous research in intrusion-detection systems is reviewed and a number of the characteristics and assumptions of those systems are discussed. Typically, those systems employ (among other devices) statistical analysis to aid in determining if an attempted intrusion is occurring or when an intrusion has already occurred. Unfortunately, many of the statistical methods make important distributional assumptions or use weak nonparametric methods. If the assumptions are inappropriate or the methods are weak in gathering knowledge from the data, then the results also will be weak. This paper proposes mitigating these problems by using alternative statistical methods.