Behavioral distance measurement using hidden markov models

Authors:
Debin Gao;Michael K. Reiter;Dawn Song
Affiliations:
Carnegie Mellon University;Carnegie Mellon University;Carnegie Mellon University
Venue:
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Year:
2006

Citing 23
Cited 8

Implementing fault-tolerant services using the state machine approach: a tutorial

ACM Computing Surveys (CSUR)
Secure agreement protocols: reliable and atomic group multicast in rampart

CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Applications of generalized pair hidden Markov models to alignment and gene finding problems

RECOMB '01 Proceedings of the fifth annual international conference on Computational biology
Fault Detection for Byzantine Quorum Systems

IEEE Transactions on Parallel and Distributed Systems
Practical byzantine fault tolerance and proactive recovery

ACM Transactions on Computer Systems (TOCS)
Mimicry attacks on host-based intrusion detection systems

Proceedings of the 9th ACM conference on Computer and communications security
Intrusion Detection Using Variable-Length Audit Trail Patterns

RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Detecting Manipulated Remote Call Streams

Proceedings of the 11th USENIX Security Symposium
Hiding Intrusions: From the Abnormal to the Normal and Beyond

IH '02 Revised Papers from the 5th International Workshop on Information Hiding
Secure Intrusion-tolerant Replication on the Internet

DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
Anomaly Detection Using Call Stack Information

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
BASE: Using abstraction to improve fault tolerance

ACM Transactions on Computer Systems (TOCS)
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Separating agreement from execution for byzantine fault tolerant services

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Gray-box extraction of execution graphs for anomaly detection

Proceedings of the 11th ACM conference on Computer and communications security
Fault-scalable Byzantine fault-tolerant services

Proceedings of the twentieth ACM symposium on Operating systems principles
Dataflow Anomaly Detection

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
On gray-box program tracking for anomaly detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
N-variant systems: a secretless framework for security through diversity

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
A sense of self for Unix processes

SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Behavioral distance for intrusion detection

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Environment-sensitive intrusion detection

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Sensing Attacks in Computers Networks with Hidden Markov Models

MLDM '07 Proceedings of the 5th international conference on Machine Learning and Data Mining in Pattern Recognition
Incorporation of Application Layer Protocol Syntax into Anomaly Detection

ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
On the Effectiveness of Software Diversity: A Systematic Study on Real-World Vulnerabilities

DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hidden Markov Model Modeling of SSH Brute-Force Attacks

DSOM '09 Proceedings of the 20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management: Integrated Management of Systems, Services, Processes and People in IT
Automated classification and analysis of internet malware

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
A survey of anomaly intrusion detection techniques

Journal of Computing Sciences in Colleges
In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS

Information Sciences: an International Journal
Software behaviour correlation in a redundant and diverse environment using the concept of trace abstraction

Proceedings of the 2013 Research in Adaptive and Convergent Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

The behavioral distance between two processes is a measure of the deviation of their behaviors. Behavioral distance has been proposed for detecting the compromise of a process, by computing its behavioral distance from another process executed on the same input. Provided that the two processes are diverse and so unlikely to fall prey to the same attacks, an increase in behavioral distance might indicate the compromise of one of them. In this paper we propose a new approach to behavioral distance calculation using a new type of Hidden Markov Model. We also empirically evaluate the intrusion detection capability of our proposal when used to measure the distance between the system-call behaviors of diverse web servers. Our experiments show that it detects intrusions with substantially greater accuracy and with performance overhead comparable to that of prior proposals.