research-article

A reference based analysis framework for analyzing system call traces

Authors:
Varun Chandola

Oak Ridge National Laboratory

Oak Ridge National Laboratory
View Profile

,
Shyam Boriah

University of Minnesota

University of Minnesota
View Profile

,
Vipin Kumar

University of Minnesota

University of Minnesota
View Profile

CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence ResearchApril 2010Article No.: 33Pages 1–3https://doi.org/10.1145/1852666.1852703

Published:21 April 2010Publication History

CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

Pages 1–3

ABSTRACT

Reference based analysis (RBA) is a novel data mining tool for exploring a test data set with respect to a reference data set. The power of RBA lies in it ability to transform any complex data type, such as symbolic sequences and multi-variate categorical data instances, into a multivariate continuous representation. The transformed representation not only allows visualization of the complex data, which cannot be otherwise visualized in its original form, but also allows enhanced anomaly detection in the transformed feature space. We demonstrate the application of the RBA framework in analyzing system call traces and show how the transformation results in improved intrusion detection performance over state of art data mining based intrusion detection methods developed for system call traces.

Supplemental Material

Available for Download

pdf

Supplemental material. (220.9 KB)

References

V. Chandola. Anomaly Detection for Symbolic Sequences and Time Series Data. PhD thesis, University of Minnesota, Sept. 2009. Google ScholarDigital Library
V. Chandola, S. Boriah, and V. Kumar. A framework for exploring categorical data. In Proceedings of the ninth SIAM International Conference on Data Mining, 2009.Google ScholarCross Ref
V. Chandola, V. Mithal, and V. Kumar. A comparative evaluation of anomaly detection techniques for sequence data. In Proceedings of International Conference on Data Mining, 2008. Google ScholarDigital Library
S. Forrest, C. Warrender, and B. Pearlmutter. Detecting intrusions using system calls: Alternate data models. In Proceedings of the 1999 IEEE ISRSP, pages 133--145, Washington, DC, USA, 1999. IEEE Computer Society.Google Scholar
B. Gao, H.-Y. Ma, and Y.-H. Yang. Hmms (hidden markov models) based on anomaly intrusion detection method. In Proceedings of International Conference on Machine Learning and Cybernetics, pages 381--385. IEEE, 2002.Google ScholarCross Ref
F. A. Gonzalez and D. Dasgupta. Anomaly detection using real-valued negative selection. Genetic Programming and Evolvable Machines, 4(4):383--403, 2003. Google ScholarDigital Library
S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151--180, 1998. Google ScholarCross Ref
T. Lane and C. E. Brodley. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information Systems and Security, 2(3):295--331, 1999. Google ScholarDigital Library
W. Lee and S. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998. Google ScholarDigital Library
W. Lee, S. Stolfo, and P. Chan. Learning patterns from unix process execution traces for intrusion detection. In Proceedings of the AAAI 97 workshop on AI methods in Fraud and risk management, 1997.Google Scholar
R. P. Lippmann and et al. Evaluating intrusion detection systems - the 1998 darpa off-line intrusion detection evaluation. In DARPA Information Survivability Conference and Exposition (DISCEX) 2000, volume 2, pages 12--26. IEEE Computer Society Press, 2000.Google Scholar
C. C. Michael and A. Ghosh. Two state-based approaches to program-based anomaly detection. In Proceedings of the 16th Annual Computer Security Applications Conference, page 21. IEEE Computer Society, 2000. Google ScholarDigital Library
N. Nguyen and P. Reiher. Detecting insider threats by monitoring system call activity. In IEEE Information Assurance Workshop, pages 18--20, 2003.Google ScholarCross Ref
S. Ramaswamy, R. Rastogi, and K. Shim. Efficient algorithms for mining outliers from large data sets. In Proceedings of the ACM SIGMOD international conference on Management of data, pages 427--438. ACM, 2000. Google ScholarDigital Library

Index Terms

A reference based analysis framework for analyzing system call traces
1. Information systems
  1. Information systems applications
    1. Data mining

Recommendations

Anomalous system call detection

Intrusion detection systems (IDSs) are used to detect traces of malicious activities targeted against the network and its resources. Anomaly-based IDSs build models of the expected behavior of applications by analyzing events that are generated during ...
Read More
A reference based analysis framework for understanding anomaly detection techniques for symbolic sequences

Anomaly detection for symbolic sequence data is a highly important area of research and is relevant in many application domains. While several techniques have been proposed within different domains, understanding of their relative strengths and ...
Read More
A framework of cooperating intrusion detection based on clustering analysis and expert system
InfoSecu '04: Proceedings of the 3rd international conference on Information security

This paper first analyzes and compares misuse detection and anomaly detection. Misuse detection can't detect new or unknown intrusion, while anomaly detection has the shortcoming on detection rate and false alarm rate. In order to overcome their ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
April 2010
257 pages
ISBN:9781450300179
DOI:10.1145/1852666
Editors:
Frederick T. Sheldon
Oak Ridge National Laboratory
,
Stacy Prowell
Oak Ridge National Laboratory
,
Robert K. Abercrombie
Oak Ridge National Laboratory
,
Axel Krings
University of Idaho
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 21 April 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
anomaly detection
intrusion detection
reference based analysis
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 241
  Total Downloads
- Downloads (Last 12 months)4
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A reference based analysis framework for analyzing system call traces

CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

ABSTRACT

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

Anomalous system call detection

A reference based analysis framework for understanding anomaly detection techniques for symbolic sequences

A framework of cooperating intrusion detection based on clustering analysis and expert system