Abstract
Most intruders access system unauthorizedly by exploiting vulnerabilities of privileged processes. Respectively monitoring privileged processes via system call sequences is one of effective methods to detect intrusions. Based on the analysis of popular attacks, we bring forward a new intrusion detection model monitoring the system call sequences, which use locally fuzzy matching to improve the detection accuracy. And the model adopts a novel profile generation method, which could easily generate better profile. The experimental results show that both the accuracy and the efficiency have been improved.
Supported by the National Grand Fundamental Research 973 Program of China under Grant No.G1999035802, the National Foundation of China for Distinguished Young Scholars under Grant No.60025205, the National Natural Science Foundation of China under Grant No.60273027 and the National High-Tech Research and Development Plan of China under Grant No.2003AA142150.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Thomas, E.: Attack class: Buffer overflows, Hello World (1999)
Klog: The Frame Pointer Overwrite. Phrack Magazine 55 (1999)
Anonymous: Runtime Process Infection. Phrack Magazine, 59 (2002)
Blexim: Basic Integer Overflows. Phrack Magazine 60 (2002)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System calls. Journal of Computer Security 6 (1998)
Okazaki, Y., Sato, I.: A New Intrusion Detection Method based on Process Profiling. In: Proceedings of the 2002 Symposium on Applications and the Internet, SAINT 2002 (2002)
Liao, L., Vemuri, V.R.: Use of Text Categorization Techniques for Intrusion Detection. In: Proceedings of the 11th USENIX Security Symposium (2002)
Eskin, E., Lee, W., Stolfo, S.J.: Modeling System Calls for Intrusion Detection with Dynamic Window Sizes. In: Proceedings of DISCEXII (June 2001)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: Proceedings IEEE Symposium on Security and Privacy, pp. 133–145 (1999)
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automation-Based Method for Detecting Anomalous Program Behaviors. In: IEEE Symposium on Security and Privacy (2001)
Tinnagonsutibout, C., Watanapongse, P.: A Novel Approach to Process-based Intrusion Detection System Using Read-sequence Finite State Automata with Inbound Byte Profiler. In: ICEP 2003 (January 2003)
Ko, C.: Logic Induction of Valid Behavior Specifications for Intrusion Detection. In: IEEE Symposium on Security and Privacy, Berkeley, California (2000)
Wepsi, A., Dacier, M., Debar, H.: Intrusion Detection Using Variable-Length Audit Trail Patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 110–129. Springer, Heidelberg (2000)
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy, Oakland, CA (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Su, P., Li, D., Qu, H., Feng, D. (2005). Detecting the Deviations of Privileged Process Execution. In: Lorenz, P., Dini, P. (eds) Networking - ICN 2005. ICN 2005. Lecture Notes in Computer Science, vol 3421. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31957-3_111
Download citation
DOI: https://doi.org/10.1007/978-3-540-31957-3_111
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25338-9
Online ISBN: 978-3-540-31957-3
eBook Packages: Computer ScienceComputer Science (R0)