Dealing with interleaved event inputs for intrusion detection

Hsing Kuo Pao, Fong Ruei Lee, Yuh-Jye Lee

Research output: Contribution to journalArticlepeer-review


We propose an intrusion detection method that can deal with interleaved event inputs. The event sequences may be alert sequences in a network or running processes on a host which are both considered to contain mixed behaviors with unpredictable orders in the temporal domain. To detect intrusions with interleaved event sequences, one of the major difficulties is to separate the interleaved events that are produced by different users or for different intentions. We propose a novel ATM algorithm to extract subsequences that characterize different behaviors; afterwards, a method that is based on graph representation is used to detect intrusions. In a network, there could be intruders who plan a DDoS attack on an environment that has mostly benign users. The proposed method can distinguish between different pieces of network data that represent different behaviors and locate where the intrusion is. On a host, users without enough privilege may inappropriately gain access to data that they are not supposed to see. The proposed method can detect the event subsequence that is associated with the unauthorized activity given a usage sequence from users such as process, command or log sequences. Given the network or host-based data, the experiment results show that the proposed method can reach high precision and recall rates at the same time in the intrusion detection task. Moreover, the graphs produced by the proposed ATM method are also compared to the graphs generated from other methods to confirm that the ATM-based graph representation indeed describes meaningful transitions between events.

Original languageEnglish
Pages (from-to)223-242
Number of pages20
JournalJournal of Information Science and Engineering
Issue number1
StatePublished - 1 Jan 2019


  • Event sequence
  • Host-based intrusion
  • Interleaved event
  • Intrusion detection
  • Network-based intrusion

Fingerprint Dive into the research topics of 'Dealing with interleaved event inputs for intrusion detection'. Together they form a unique fingerprint.

Cite this