Skip to main content
SpringerLink
Log in

On the Use of Word Networks to Mimicry Attack Detection

  • Conference paper
Emerging Trends in Information and Communication Security (ETRICS 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3995))

Abstract

Intrusion detection aims at raising an alarm any time the security of an IT system gets compromised. Though highly successful, Intrusion Detection Systems are all susceptible of mimicry attacks [1]. A mimicry attack is a variation of an attack that attempts to pass by as normal behaviour. In this paper, we introduce a method which is capable of successfuly detecting a significant and interesting sub-class of mimicry attacks. Our method makes use of a word network [2, 3]. A word network conveniently decomposes a pattern matching problem into a chain of smaller, noise-tolerant pattern matchers, thereby making it more tractable. A word network is realised as a finite state machine, where every state is a hidden Markov model. Our mechanism has shown a 93% of effectivity, with a false positive rate of 3%.

This research was partially supported by three grants: FRIDA, CONACYT 47557 and ITESM CCEM-0302-05.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Wagner, D., Soto, P.: Mimicry Attacks on Host Based Intrusion Detection Systems. In: Proceedings of the Ninth ACM Conference on Computer and Communications Security, Washington, DC, USA, pp. 255–265. ACM, New York (2002)

    Google Scholar 

  2. Young, S., Evermann, G., Kershaw, D., Moore, G., Odell, J., Ollason, D., Povey, D., Valtchev, V., Woodland, P.: The HTK Book for HTK Version 3.2, Cambridge University Engineering Department (2002)

    Google Scholar 

  3. Pereira, F., Riley, M.: Speech Recognition by Composition of Weighted Finite Automata. In: Roche, E., Schabes, Y. (eds.) Finite-State Language Processing, pp. 431–453. MIT press, Cambridge (1997)

    Google Scholar 

  4. Brown, M.: RNA Modeling Using Stochastic Context-Free Grammars. PhD thesis, University of California, Santa Cruz (1999)

    Google Scholar 

  5. Manning, C.D., Schütze, H.: Foundations of Statistical Natural Language Processing. MIT Press, Massachusets Institute of Technology, Cambridge, Massachusets 02142 (1999)

    Google Scholar 

  6. Rabiner, L.R.: A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceedings of the IEEE 77, 257–286 (1989)

    Article  Google Scholar 

  7. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society Press, Los Alamitos (1999)

    Google Scholar 

  8. Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of STIDE, an Anomaly-Based Intrusion Detector. In: Proceedings of IEEE Symposium on Security & Privacy, pp. 188–201 (2002)

    Google Scholar 

  9. Qiao, Y., Xin, X., Bin, Y., Ge, S.: Anomaly Intrusion Detection Method Based on HMM. Electronic Letters 38, 663–664 (2002)

    Article  Google Scholar 

  10. Yeung, D., Ding, Y.: Host-Based Intrusion Detection Using Dynamic and Static Behavioral Models. Pattern Recognition 36, 229–243 (2003)

    Article  MATH  Google Scholar 

  11. Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master’s thesis, Massachusetts Institute of Technology (1998)

    Google Scholar 

  12. Lippman, R.P., Cunningham, R.K., Fried, D.J., Graf, I., Kendall, K.R., Webster, S.E., Zissman, M.A.: Results of the DARPA 1998 Offline Intrusion Detection Evaluation. In: RAID 1999 Conference (1999) (slides presentation)

    Google Scholar 

  13. Giffin, J., Jha, S., Miller, B.: Efficient Context-Sensitive Intrusion Detection. In: Proceedings of the 11th Annual Network and Distributed Systems Security Symposium (NDSS), San Diego, California, The Internet Society (2004)

    Google Scholar 

  14. Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer Intrusion: Detecting Masquerades. Statistical Science 16, 1–17 (2001) (to appear)

    MathSciNet  MATH  Google Scholar 

  15. Maxion, R., Townsend, T.: Masquerade Detection Using Truncated Command Lines. In: Proceedings of the International Conference on Dependable Systems & Networks, Washington, DC, pp. 219–228. IEEE, Los Alamitos (2002)

    Chapter  Google Scholar 

  16. Scott, C., Joel, B., Boleslaw, S., Eric, B.: Intrusion Detection: A Bioinformatics Approach. In: Proceeding of the 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, pp. 24–33 (2003)

    Google Scholar 

  17. Boleslaw, S., Yongqiang, Z.: Recursive Data Mining for Masquerade Detection and Author Identification. In: Proceedings of the 5th IEEE System, Man and Cybernetics Information Assurance Workshop, West Point, NY, pp. 424–431. IEEE, Los Alamitos (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, ITESM–Estado de México, Carr. Lago de Guadalupe, Km. 3.5, Estado de México, 52926, Mexico

    Fernando Godínez & Raúl Monroy

  2. DFKI, Saarbrücken University, Stuhlsatzenhausweg 3, D-66123, Saarbrücken, Germany

    Dieter Hutter

Authors
  1. Fernando Godínez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dieter Hutter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Raúl Monroy
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institut für Informatik und Gesellschaft, Abt. Telematik, Albert-Ludwigs-Universität Freiburg, Friedrichstr. 50, 79098, Freiburg, Germany

    Günter Müller

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Godínez, F., Hutter, D., Monroy, R. (2006). On the Use of Word Networks to Mimicry Attack Detection. In: Müller, G. (eds) Emerging Trends in Information and Communication Security. ETRICS 2006. Lecture Notes in Computer Science, vol 3995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11766155_30

Download citation

  • DOI: https://doi.org/10.1007/11766155_30

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34640-1

  • Online ISBN: 978-3-540-34642-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation