Abstract
This article describes variants of two state-based intrusion detection algorithms from Michael and Ghosh [2000] and Ghosh et al. [2000], and gives experimental results on their performance. The algorithms detect anomalies in execution audit data. One is a simply constructed finite-state machine, and the other two monitor statistical deviations from normal program behavior. The performance of these algorithms is evaluated as a function of the amount of available training data, and they are compared to the well-known intrusion detection technique of looking for novel n-grams in computer audit data.
- Anderson, J. 1980. Computer security threat monitoring and surveillance. Tech. Rep. James P. Anderson Co., Fort Washington, Pa.]]Google Scholar
- Basseville, M. and Nikiforov, I. V. 1993. Detection of Abrupt Changes---Theory and Application. Prentice-Hall, Inc., Englewood Cliffs, N.J.]] Google ScholarDigital Library
- Cannady, J. 1998. Artificial neural networks for misuse detection. In Proceedings of the 1998 National Information Systems Security Conference (NISSC'98). (Arlington, Va.), 443--456.]]Google Scholar
- D'haeseleer, P., Forrest, S., and Helman, P. 1996. An immunological approach to change detection: Algorithms, analysis and implications. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif.]] Google ScholarDigital Library
- Endler, D. 1998. Intrusion detection: Applying machine learning to solaris audit data. In Proceedings of the 1998 Annual Computer Security Applications Conference (ACSAC'98). (Scottsdale, Az.). IEEE Computer Society Press, Los Alamitos, Calif., 268--279.]] Google ScholarDigital Library
- Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., 120--128.]] Google ScholarDigital Library
- Freund, Y., Kearns, M., Ron, D., Rubinfeld, R., Schapire, R. E., and Sellie, L. 1997. Efficient learning of typical finite automata from random walks. Inf. Comput. 138, 1 (10 Oct.), 23--48.]] Google ScholarDigital Library
- Ghosh, A., Michael, C. C., and Schatz, M. 2000. A real-time intrusion detection system based on learning program behavior. In Recent Advances in Intrusion Detection; Third International Workshop. H. Debar, L. Mé, and F. Wu, Eds. Lecture Notes in Computer Science, vol. 1907. Springer, Berlin, 93--109.]] Google ScholarDigital Library
- Ghosh, A., Schwartzbard, A., and Schatz, M. 1999. Using program behavior profiles for intrusion detection. In Proceedings of the SANS Intrusion Detection Workshop.]] Google ScholarDigital Library
- Ghosh, A., Wanken, J., and Charron, F. 1998. Detecting anomalous and unknown intrusions against programs. In Proceedings of the 1998 Annual Computer Security Applications Conference (ACSAC'98).]] Google ScholarDigital Library
- Grimmet, G. R. and Stirzaker, R. D. 1992. Probability and Random Processes. Oxford University Press.]]Google Scholar
- Kearns, M. and Valiant, L. 1989. Cryptographic limitations on learning boolean formulae and finite automata. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing. ACM, New York, 433--444.]] Google ScholarDigital Library
- Kim, G. H. and Spafford, E. H. 1994. The design and implementation of tripwire: A file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security. J. Stern, Ed. (Fairfax, Va.). ACM, New York, 18--29.]] Google ScholarDigital Library
- Kosoresow, A. P. and Hofmeyr, S. A. 1997. Intrusion detection via system call traces. IEEE Softw. 14, 5 (Sept. Oct.), 24--42.]] Google ScholarDigital Library
- Lai, T. L. 1998. Information bounds and quick detection of parameter changes in stochastic systems. IEEE Trans. Inf. Theory 44, 7, 2917--2929.]]Google ScholarDigital Library
- Lane, T. and Brodley, C. 1997. An application of machine learning to anomaly detection. In Proceedings of the 20th National Information Systems Security Conference. 366--377.]]Google Scholar
- Lane, T. and Brodley, C. E. 1999. Temporal sequence learning and data reduction for anomaly detection. ACM Trans. Inf. Syst. Sec. 2, 3, 295--331.]] Google ScholarDigital Library
- Lang, K., Pearlmutter, B., and Price, R. 1998. Results of the abbadingo one dfa learning competition and a new evidence driven state merging algorithm. In Proceedings of the International Colloquium on Grammatical Inference (ICGA-98). Lecture Notes in Artificial Intelligence, vol. 1433. Springer-Verlag, New York, 1--12.]] Google ScholarDigital Library
- Lee, W., Stolfo, S., and Chan, P. 1997. Learning patterns from Unix process execution traces for intrusion detection. In Proceedings of AAAI97 Workshop on AI Methods in Fraud and Risk Management.]]Google Scholar
- Lunt, T. 1990. Ides: an intelligent system for detecting intruders. In Proceedings of the Symposium: Computer Security, Threat and Countermeasures (Rome, Italy).]]Google Scholar
- Lunt, T. 1993. A survey of intrusion detection techniques. Comput. Sec. 12, 405--418.]] Google ScholarDigital Library
- Lunt, T. and Jagannathan, R. 1988. A prototype real-time intrusion-detection system. In Proceedings of the 1988 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif.]]Google Scholar
- Lunt, T., Tamaru, A., Gilham, F., Jagannthan, R., Jalali, C., Javitz, H., Valdos, A., Neumann, P., and Garvey, T. 1992. A real-time intrusion-detection expert system (ides). Tech. Rep. Computer Science Laboratory, SRI Internationnal.]]Google Scholar
- Michael, C. C. and Ghosh, A. 2000. Two state-based approaches to program-based anomaly detection. In Proceedings of ACSAC 2000. 21--30.]] Google ScholarDigital Library
- Porras, P. and Neumann, P. 1997. Emerald: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference. 353--365.]]Google Scholar
- Rabiner, L. and Juang, B.-H. 1993. Fundamentals of Speech Recognition. Prentice-Hall (Signal Processing Series), Englewood Cliffs, N.J.]] Google ScholarDigital Library
- Sekar, R., Bendre, M., Dhurjati, D., and Bollineni, P. 2000. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the 2000 IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, Calif., 144--155.]] Google ScholarDigital Library
- Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., and Zerkle, D. 1996. GrIDS---A graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference.]]Google Scholar
- Vapnik, V. N. 1995. The Nature of Statistical Learning Theory. Springer, New York.]] Google ScholarDigital Library
- Warrender, C., Forrest, S., and Pearlmutter, B. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., 133--145.]]Google Scholar
Index Terms
- Simple, state-based approaches to program-based anomaly detection
Recommendations
Specification-based anomaly detection: a new approach for detecting network intrusions
CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityUnlike signature or misuse based intrusion detection techniques, anomaly detection is capable of detecting novel attacks. However, the use of anomaly detection in practice is hampered by a high rate of false alarms. Specification-based techniques have ...
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks
In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Comments