ABSTRACT
Reference based analysis (RBA) is a novel data mining tool for exploring a test data set with respect to a reference data set. The power of RBA lies in it ability to transform any complex data type, such as symbolic sequences and multi-variate categorical data instances, into a multivariate continuous representation. The transformed representation not only allows visualization of the complex data, which cannot be otherwise visualized in its original form, but also allows enhanced anomaly detection in the transformed feature space. We demonstrate the application of the RBA framework in analyzing system call traces and show how the transformation results in improved intrusion detection performance over state of art data mining based intrusion detection methods developed for system call traces.
Supplemental Material
Available for Download
- V. Chandola. Anomaly Detection for Symbolic Sequences and Time Series Data. PhD thesis, University of Minnesota, Sept. 2009. Google ScholarDigital Library
- V. Chandola, S. Boriah, and V. Kumar. A framework for exploring categorical data. In Proceedings of the ninth SIAM International Conference on Data Mining, 2009.Google ScholarCross Ref
- V. Chandola, V. Mithal, and V. Kumar. A comparative evaluation of anomaly detection techniques for sequence data. In Proceedings of International Conference on Data Mining, 2008. Google ScholarDigital Library
- S. Forrest, C. Warrender, and B. Pearlmutter. Detecting intrusions using system calls: Alternate data models. In Proceedings of the 1999 IEEE ISRSP, pages 133--145, Washington, DC, USA, 1999. IEEE Computer Society.Google Scholar
- B. Gao, H.-Y. Ma, and Y.-H. Yang. Hmms (hidden markov models) based on anomaly intrusion detection method. In Proceedings of International Conference on Machine Learning and Cybernetics, pages 381--385. IEEE, 2002.Google ScholarCross Ref
- F. A. Gonzalez and D. Dasgupta. Anomaly detection using real-valued negative selection. Genetic Programming and Evolvable Machines, 4(4):383--403, 2003. Google ScholarDigital Library
- S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151--180, 1998. Google ScholarCross Ref
- T. Lane and C. E. Brodley. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information Systems and Security, 2(3):295--331, 1999. Google ScholarDigital Library
- W. Lee and S. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998. Google ScholarDigital Library
- W. Lee, S. Stolfo, and P. Chan. Learning patterns from unix process execution traces for intrusion detection. In Proceedings of the AAAI 97 workshop on AI methods in Fraud and risk management, 1997.Google Scholar
- R. P. Lippmann and et al. Evaluating intrusion detection systems - the 1998 darpa off-line intrusion detection evaluation. In DARPA Information Survivability Conference and Exposition (DISCEX) 2000, volume 2, pages 12--26. IEEE Computer Society Press, 2000.Google Scholar
- C. C. Michael and A. Ghosh. Two state-based approaches to program-based anomaly detection. In Proceedings of the 16th Annual Computer Security Applications Conference, page 21. IEEE Computer Society, 2000. Google ScholarDigital Library
- N. Nguyen and P. Reiher. Detecting insider threats by monitoring system call activity. In IEEE Information Assurance Workshop, pages 18--20, 2003.Google ScholarCross Ref
- S. Ramaswamy, R. Rastogi, and K. Shim. Efficient algorithms for mining outliers from large data sets. In Proceedings of the ACM SIGMOD international conference on Management of data, pages 427--438. ACM, 2000. Google ScholarDigital Library
Index Terms
- A reference based analysis framework for analyzing system call traces
Recommendations
Anomalous system call detection
Intrusion detection systems (IDSs) are used to detect traces of malicious activities targeted against the network and its resources. Anomaly-based IDSs build models of the expected behavior of applications by analyzing events that are generated during ...
A reference based analysis framework for understanding anomaly detection techniques for symbolic sequences
Anomaly detection for symbolic sequence data is a highly important area of research and is relevant in many application domains. While several techniques have been proposed within different domains, understanding of their relative strengths and ...
A framework of cooperating intrusion detection based on clustering analysis and expert system
InfoSecu '04: Proceedings of the 3rd international conference on Information securityThis paper first analyzes and compares misuse detection and anomaly detection. Misuse detection can't detect new or unknown intrusion, while anomaly detection has the shortcoming on detection rate and false alarm rate. In order to overcome their ...
Comments