Anomaly Detect ion using Visualization and Machine Learning
Fumio Mizoguchi
Information Media Center, Science University of Tokyo
Noda, Chiba, 278-8510, Japan
mizo Oimc .sut .ac.jp
Abstract
Unauthorized access f r o m inside or outside an or-
ganization has become a social problem in the last few
years, making a system that can detect such accesses
desirable. W e therefore monitor normal activities us-
ing inductive logic programming (ILP) which is one of
machine learning and detect anomalies. To ensure ef-
fective monitoring, we think the following two points
must be considered. One point is automation of de-
tection b y I L P system, which is a rule generation en-
gine, that always induces and updates eflective rules.
The other point is providing a visualization too1 that
reflects induced rules to the detection system. This tool
enables an administrator to understand detection situ-
ations. For automated detection, we provide the I L P
system with an automatic parameter adjustment func-
tion. For the visualization tool, we a p p l y the visualiza-
tion technology of a hyperbolic tree.
1 Introduction
Unauthorized accesses to computers or networks are
increasing every year. In addition, according t o an in-
vestigation of CSI-FBI in 1999 [l],many organizations
have been greatly damaged by internal and external
crime. For this reason, there is increasing interest in
intrusion detection. One type of intrusion detection
is anomaly detection that determines the normal use
state using statistic or machine learning and detects
exceptions. This includes research that rule-izes usual
telephone-call records by machine learning and mon-
itors such records to detect telephone fraud [a], and
that analyzes the sequence of the command logs by
using machine learning [3].
However, the existing anomaly detection systems are
in the examination stage for automatic generation of
an optimum rule and automatic renewal, as well as its
application method. We have resolved this problem
by using an inductive logic programming (ILP) system
with a function to automatically adjust parameter as
165
0-7695-0798-9/00 $10.00 0 2000 IEEE
the rule generation engine [4]. This paper also exam-
ines anomaly detection using the system.
It is difficult for a n administrator t o comprehend the
voluminous audit data when trying to detect anoma-
lies. Therefore, we propose a visual browser in order
to support an administrator browsing analyzed results
or raw data. Furthermore, we seek to detect anomalies
visually through interaction of the browser and a vi-
sual tool, and to bring out the structure of audit data.
As the visual tool, we use WebMap [5], which is a vi-
sual tool added the concept of the height to a hyper-
bolic tree. This paper presents research relevant to the
Cuckoo Egg Project [6], which seeks t o detect intrusion
by machine learning and visualization techniques.
This paper is organized as follows: Section 2 de-
scribes the architecture of our intrusion detection sys-
tem, Section 3 explains the Visual browser that plays
the most important role in our system. Section 4 de-
scribes the method of generating user profiles by using
ILP, Section 5 provides the experimental results and
final section contains our conclusions.
2 Intrusion Detection System with Vi-
sual browser
We designed Intrusion Detection System with Vi-
sual browser (IDS-V). The figure 1 shows the system
architecture of IDS-V that consists of Log database,
Profiling engine, Log checker and Visual browser.
Log checker monitors user events which are collected
in the Log database as audit log. The Log database is
the center of IDS-V. The log d a t a is referred by Profile
engine and Log browser.
The Profile engine generates profiles of each users.
We adopt Inductive Logic Programming (ILP) to in-
duce a rule from audit data. The generated profiles
is sent to the Log checker and Visual browser. Log
checker filters the user events using the profiles and
we can edit the profile using Visual browser. The Log
checker detects anomaly event based on the profiles and
notify the fact that anomaly event happens to Visual

Figure 1: System architecture of IDS-V
browser. Visual browser also get the log data from the
Log database and it shows us the log structure and
classification based on the profiles from the Profiling
Engine.
The Log checker is able to reduce the log data, how-
ever, it is hard to generate perfect profiles to detect
anomaly event using the machine learning. So, we
should use rough rules rather than strict rules not to
lose anomaly event. Therefore, there are some cases
that the Log checker reacts on normal log as anomaly
event. In these case, an administrator must judge
whether the detected log is real anomaly or not. The
Visual browser helps an administrator to check the log
leaking from the Log checker.
Our IDS-V deal with command logs as user events
and collects the following data set:
e User name (who)
e Host name (where)
0 Executed command name (what)
0 Parameter of the executed command (how)
e data and time (when)
Thus, IDS-V can monitor user behaviors in the net-
work. The data set is stored in the Log database.
3 Visual browser
Visual browser help an administrator for log brows-
ing, and clarify the structure of audit data visually by
using a hyperbolic tree as the visualization to perform
166
effective browsing and help the troublesome task to find
the track of an intruder.
The figure 2 shows our Visual browser’. The text
field is to input the query to get log data from Log
database and it has three browsing buttons: “Get” is
to get the log data corresponding to the query, “Clear”
is to clear the text field and “Back” is to show the
previous log data.
There are four tabbed panels on this system: Log
browser, Visualize, Profile, and Property. The Prop-
erty panel is not shown in figure 2, it is to set
some properties such as hostname of each servers (Log
database, Log checker and Profile engine) and timing
getting log data such as getting logs before 60 seconds
from current time. Other panels are explained in the
following sections.
3.1 Log browser
Log browser is to browse logs that are listed on the
spread sheet in the order of new log. The showing log is
user command: the first column is the user name, the
second one is the host name where the user execute
the command, third one is the executed command and
the last column is the time when the user execute the
command.
Notified anomaly event from the Log checker, the
cuckoo icon start moving and let us know the detection
by the cawing of a cuckoo. The log associated to the
anomaly event is listed in red.
The logs corresponding to the query in the text field
are returned by Log database. For example, if we can
get the log related to the user “hiraishi” “AND” ma-
chine “imct451”, we just set the following query:
usr(hiraishi) & hst(imct451)
And we can also set “ I ” for the “OR” operation. If we
set empty as the query, the database returns all logs
contained the time range setting in the Profile.
When we click on the text on the spread sheet, The
item is also appended to the query and down load logs
from the database automatically. So, we can browse
and go close up to the intended logs.
3.2 Visualize
The most important role of visualization is to en-
able us to easily understand the use status of devices
and networks. Therefore, it is important to design a
browser for visualizing audit data. “Audit work bench
[?I” developed at the University of California is one
such attempt. Although the objective of this paper is
‘It is implemented by Java Language jkd1.2.2.
 Browsing Buttons
Figure 2: Visual browser
close to that of using their visual browser t o audit data,
we focus on extracting and visualizing the information
from data in data mining.
In order to visualize audit logs, we adopted the
WebMap visualization technique [SI, which maps Web
URLs onto. a hyperbolic plane. Our visualization
makes hierarchy basically in the following order: “User
name”, “Host name”, “Command name” and “Param-
eters”. However, in the “Command name” level, we
divided into four categories as the characteristics of
command:
0 Un-ruled command
This category is the most dangerous. The com-
mands does not conform to the profile is classified
into this category. So, they may be commands an
intruder executes.
0 Danger command
167
Visualize
*, - --
Hyperbolic tree
Commands that imply the use of the network and
commands that system administrators frequently
use (su, finger, ftp, telnet, rlogin, alias, configure,
nmap, etc.) tend to be used to intrude into the
network and stole password data. We make this
category in order t o become aware of the executing
such commands.
0 Safety command
This category includes the commands correspond-
ing to the profile and plain safety commands like
Is, cd, jlatex, java, etc.
0 Unknown command
Commands except for any of the above belong to
this category. This includes many cases of typing
mistakes and also includes the original command
of users.
 We should first checks the un-ruled command, If
many branches have grown from the node of un-ruled
commands, We should regard the user as an intruder.
Then if the danger command has many branches and
the user is not an administrator, it indicates that the
user might do illegal use and there is a possibility that
the intruder pretends to be the user. Even if there are
many branches in safety command, it is not necessary
to care about it. It is quite normal phenomenon. In-
stead, a few commands mean anomaly. When many
commands are in the unknown command, the admin-
istrator should check whether the command is mis-
typing or not.
A hyperbolic tree can be changed arbitrarily by
mouse operations. Focus is changed by clicking the
mouse on a node. Mouse dragging can be accepted at
any position, making it easy for users to change the
viewpoint of the tree. We can also cutoff branches
above the clicked node by using “Cutoff” button. The
new hyperbolic tree consisting of only branches under
the clicked node is reconstructed. This allows us to
make the tree focusing on the special purpose like the
command category as mentioned above. In this way,
the administrator can browse and understand huge logs
visually.
3.3 Profiling
The profiles generated by Profiling engine is also
shown in the text area of our visual browser. The pro-
files are listed every users in the following form:
--- hiraishi ---
imct-r03,kterm,&,i
*, java,
The first line indicates the user name and the follow-
ing lines contains the profiles of the user. The second
line means that the user “hiraishi” uses the command
“kterm” at the machine “imct-r03” and he sets the pa-
rameter “ & ” at the first argment. The “ * ” is the
wildcard, the third line indicates he uses ‘tjava” com-
mand at any machines.
Since the profiles generated by Profiling engine is
not complete for anomaly detection. We can edit and
create the profiles in the text area of our browser.
168
4 Generating Profiles
In order to induce the rules, we apply an inductive
logic programming (ILP) system, and use it as the rule
generation engine, in other words, the profiling gener-
ation engine. The ILP system learns from an example,
enables relational learning, and produces a result for
incremental learning. The framework of ILP is repre-
sented as following:
BAHI=E+
B A H A E - F ~
where, Et is the positive examples, E - is the negative
examples and B is the background knowledge. Thus,
the purpose of ILP induces the hypothesis H .
In the method like decision tree general used in data
mining, we must combine target tables to generate the
relational rules. However, ILP can generate rules from
the distributed tables. It is natural that the logs is
distributed such as the computer is distributed in the
network. So, the ILP is more suitable for the log data
analysis.
This learning system is implemented in Java lan-
guage, and references both Muggleton’s Inverse Entail-
ment [7] and the GKS algorithm [8]. This system uses
the objective function by including positive examples
and the hypothetical length, and gives the rate of neg-
ative examples (Error rate), which the user establishes,
as the constraint, and determines the best hypothesis
(rules) from the most special case.
However, existing ILP systems, including this sys-
tem, must set up a search parameter. Therefore, when
the users induce the rules from data by ILP system,
they must adjust the parameters, considering the per-
formance of rules. This becomes an obstacle, when we
incorporate a learning system into the detection sys-
tem and automate it. We therefore define a function by
which the system automatically adjusts search param-
eter by observing the value of a performance measure
(parameter). We call this function ’parameter tun-
ing’. When we implement this function, we use the
result of Cross-validation and Bootstrap method [9] of
re-sampling method. Our system then adjusts the pa-
rameter by learning them. Thus, we seek to perform
effective rule generation for large scale audit data by
harvesting the re-sampling technique. Furthermore, we
use the induced rules as profiling.
4.1 Automatic parameter adjustment
met hod
The ILP system that we apply must set up an error
rate that implies how the hypothesis can include neg-
ative examples. The performance (Table 1) of a rule
is influenced by the setup, so we automatically adjust
the error rate so that it may maximize the performance
measurement specified by a user.
A hypothesis A hypothesis
regards as regards as
1 a positive example 1 a negative example
E+ I True Positive I False Negative
I E- I False Positive I True Negative
Sensitivity = True Positive (TP) / Et
Specificity = True Negative (TN) / E -
Accuracy = (TP + TN) / ( E s + E - )
At this time, it can provide the remaining parame-
ters that are not specified as constraint conditions. The
parameters that it can maximize are accuracy, sensi-
tivity, and specificity. These parameters are obtained
from the re-sampling technique. The parameters are
such that the error rate tends to increase when sensi-
tivity increases and decrease when specificity increases.
The error rate that yields the best parameter values is
obtained by binary search considering the relation of
the error rate and the parameter.
A practical processing procedure is as follows. First,
a user selects a parameter (Table 1) to maximize and
sets the remaining parameter as constraint conditions.
The system then generates a training set and a test
set by a re-sampling process like Cross-validation or
bootstrap. Next, it learns the training set, tests the
test set, asks for the performance evaluation shown in
Table 1, and checks whether the ILP system satisfies
the constraint. If the constraint is satisfied, the system
updates the error rate so that the target parameters
may be maximized (maximization process). If the con-
straint is not satisfied, the system updates the error
rate so that the constraints are satisfied (adjustment
process). The system then updates the error rate re-
peatedly until the parameters becomes constant.
5 Experimental results
In order to clarify the effectivity of our visualization
and profiling, we simulated the situation that an in-
truder pretends to be a user. Using logs of two users A
and B , we added logs of the user A to logs of the user
B little by little.
The user A and B use about 900 commands in one
month. The main work of the user A is editing the text
and Java programming. In contrast, the user B is the
administrator in our network. He often uses the com-
mand for system administration and writes program by
using C language. So, the user A tends to behave such
as an intruder.
We derived profiles with ILP in the three methods:
logs of the target user is set as the positive ex-
ample, in contrast, logs of other users is set as
the negative example and we gave the use way
of commands and login status as the background
1
knowledge In this case, the rules emphasizing how
the target user use commands are derived. For
example,
userA(X) : - login(X, “ i m c t x ” , Y),
type(Y, “ m u l e , t , i ” ) .
In the machine “imctX”, the user A use the com-
mand “mule” with the parameter “ & ” at the first
argument.
Inducing rules from only logs of the target user. we
gave the use way of commands as the background
knowledge. In this case, the rules the target user
frequently uses are derived. For example,
userA(X) :- type(X, ffls,-al,i”).
This means user A uses the command “1s” with
the parameter “-al” at the first argument.
When a rule that incorporates the login status is
generated, we can learn that a user logs in from a spe-
cific host to another certain host with a decided format
such as telnet login. I When we analyzed command
logs, we found that the order of the arguments and
how to use command are unique.
The figure 3 shows the changing of tree structure.
First we generated profiles of the user A using 1000
commands. The tree structure of the fist step is the (A)
in the figure 3. The (B) is the structure after adding
20 commands. At this time, we can find the change of
tree structure easily, the number of branch at the un-
ruled command is increased. Since the user B is not a
system administrator, there is no such a command in
his profiles and the command “su” is categorized in the
un-ruled command.
The (C) is the result after adding 100 commands
of the user A. The “su” command is in the danger
command. This means the profile that the user B use
“su” command is generated by ILP. If an administrator
can not notice the intrusion and the ILP induces from
logs contains anomaly events, the ILP may generate
the rules infected with the anomaly logs. As a result,
169
the profiles can not work effectively any longer. In
our experiment, the 100 logs correspond to the logs
collected for 3 days. The administrator should check
logs once 3 days at least.
However, since we set the four command categories,
even if the rules infected with the anomaly logs are gen-
erated, the commands associated such rules is classified
into danger command or unknown command. We can
find the trace of intrusion by checking their branches.
danger
=r-?
'*I-
*:**
/ navigation tool into a browser for mining W W W
Figure 3: Changing of tree structure
6 Conclusion
We design the intrusion detection system with the
visual browser that helps an administrator for log
browsing, and clarify the structure of audit data visu-
ally by using a hyperbolic tree as the visualization t o
perform effective browsing and help the troublesome
task to find the track of an intruder. We implemented
170
the following two functions
0 Visualization function that reflects rules induced
by ILP system
0 Automatic parameter adjustment for search on
ILP system
By implementing these two functions, we attempted to
automate a system and facilitate visual perusal of a sit-
uation. In short, we proposed a framework of anomaly
detection using such technologies.
References
[l] CSI-FBI, 1999 CSI-FBI Survey Results,
http://www.gocsi.
com/summary.htm, 1999.
[2] T.Fawcett and F.Provest, Adaptive fraud detec-
tion, Data Mining and Knowledge Discoveryl, 291-
316, 1997.
[3] B.D.Davison and H.Hirsh, Predicting sequences of
user action, In Predicting the Future: AI Approaches
to Time Series Problems, AAA1 Press, pp.5-12. WS-
98-02, 1998.
[4] F.Mizoguchi, H.Ohwada, J .Tuchiya, Development
of agent type datamining system, Information-
Technology Promotion Agency, Japan, 1999.
[5] HSawai, H.Ohwada, F.Mizoguchi, Incorporating a
information, The First International Conference on
Discovery Science, 1998.
[B] F.Mizoguchi, Visual browser for intrusion detection
- Cuckoo egg project, CSS'99, 1999.
[7] S.Muggleton, Inverse Entailment and Progol, New
Generation Computing, 13:245-286, 1995.
[8] F.Mizoguchi and €I.Ohwada, Using Inductive
Logic Programming for Constraint Acquisition in
Constraint-based Problem Solving, Proc. Of the 5th
International Workshop on ILP, 297-322, 1995
[9] M.Weiss and A.Kulikowski, Computer Systems
T h a t Learn, Morgan Kaufmann Publishers, 1991