Skip to main content
SpringerLink
Log in

Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report

  • Conference paper
  • First Online:
Recent Advances in Intrusion Detection (RAID 2000)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 1907))

Included in the following conference series:

Abstract

The use of program execution traces to detect intrusions has proven to be a successful strategy. Existing systems that employ this approach are anomaly detectors, meaning that they model a program’s normal behavior and signal deviations from that behavior. Unfortunately, many program-based exploits of NT systems use specialized malicious executables. Anomaly detection systems cannot deal with such programs because there is no standard of “normalcy” that they deviate from.

This paper is a preliminary report on an attempt to remedy that situation. We report on a prototype system that learns to identify specific program behaviors. Though the goal is to identify malicious behavior, in this paper we report on experiments seeking to identify the behavior of the web-browser, since we did not have enough exemplars of malicious behavior to use as training data.

Using automatically generated finite automata, we search for features in execution traces that allow us to distinguish browsers from other programs. In our experiments, we find that this technique does, in fact, allow us to distinguish traces Internet Explorer from traces of programs that are not web browsers, after training with Netscape and a different set of non-browsers.

This work was sponsored under DARPA contract DAAH01-99-C-R205

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. L. Devroye, L. Györfi, and G. Girosi. A Probabalistic Theory of Pattern Recognition, volume 31 of Applications of Mathematics. Springer-Verlag, New York, 1996.

    Google Scholar 

  2. Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for unix processes. In Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120–128. IEEE Computer Society, IEEE Computer Society Press, May 1996.

    Google Scholar 

  3. Yoav Freund, Michael Kearns, Dana Ron, Ronitt Rubinfeld, Robert E. Schapire, and Linda Sellie. Efficient learning of typical finite automata from random walks. Information and Computation, 138(1):23–48, 10 October 1997.

    Google Scholar 

  4. R. Price, K. Lang, B. Pearlmutter. Results of the abbadingo one dfa learning competition and a new evidence driven state merging algorithm. In Proceedings of the International Colloquium on Grammatical Inference (ICGA-98), volume 1433 of Lecture Notes in Artificial Intelligence, pages 1–12. Springer-Verlag, 1998.

    Google Scholar 

  5. Sandeep Kumar and Eugene Spafford. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, pages 11–21, October 1994.

    Google Scholar 

  6. N. Littlestone and M. K. Warmuth. The weighted majority algorithm. Information and Computation, 108(2):212–261, 1994.

    Article  MATH  MathSciNet  Google Scholar 

  7. S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. GrIDS-A Graph Based Intrusion Detection System for Large Networks. In Proceedings of the 19th National Information Systems Security Conference, 1996.

    Google Scholar 

  8. B. A. Trakhtenbrot and Ya. A. Barzdin. Finite Automata: Behavior and Synthesis. North-Holland, 1973.

    Google Scholar 

  9. V. Vapnik. Estimating Dependancies Based on Empirical Data. Springer Series in Statistics. Springer-Verlag, New York, 1982.

    Google Scholar 

  10. T. L. H. Watkin, A. Rau, and M. Biehl. The stastical mechanics of learning a rule. Rev. Mod. Phys., 65:499–556, 1993.

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. RST Research Labs, Dulles, USA

    Christoph Michael & Anup Ghosh

Authors
  1. Christoph Michael
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anup Ghosh
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. France Télécom R & D, 42 Rue des Coutoures, 14000, Caen, France

    Hervé Debar

  2. SUPELEC, BP 28, 35511, Cesson Sevigne Cedex, France

    Ludovic Mé

  3. Department of Computer Science, 2063 Engineering II, University of California at Davis, One Shields Avenue, Davis, CA, 95616-8562, USA

    S. Felix Wu

Rights and permissions

Reprints and permissions

Copyright information

© 2000 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Michael, C., Ghosh, A. (2000). Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report. In: Debar, H., Mé, L., Wu, S.F. (eds) Recent Advances in Intrusion Detection. RAID 2000. Lecture Notes in Computer Science, vol 1907. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39945-3_5

Download citation

  • DOI: https://doi.org/10.1007/3-540-39945-3_5

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-41085-0

  • Online ISBN: 978-3-540-39945-2

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation