Simple, state-based approaches to program-based anomaly detection

Authors:
C. C. Michael;Anup Ghosh
Affiliations:
Cigital Labs, Dulles, VA;Cigital Labs, Dulles, VA
Venue:
ACM Transactions on Information and System Security (TISSEC)
Year:
2002

Citing 18
Cited 14

Crytographic limitations on learning Boolean formulae and finite automata

STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Detection of abrupt changes: theory and application

Detection of abrupt changes: theory and application
Fundamentals of speech recognition

Fundamentals of speech recognition
A survey of intrusion detection techniques

Computers and Security
The design and implementation of tripwire: a file system integrity checker

CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
The nature of statistical learning theory

The nature of statistical learning theory
Efficient learning of typical finite automata from random walks

Information and Computation
Temporal sequence learning and data reduction for anomaly detection

ACM Transactions on Information and System Security (TISSEC)
Intrusion Detection via System Call Traces

IEEE Software
Results of the Abbadingo One DFA Learning Competition and a New Evidence-Driven State Merging Algorithm

ICGI '98 Proceedings of the 4th International Colloquium on Grammatical Inference
Learning Program Behavior Profiles for Intrusion Detection

Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Intrusion Detection Applying Machine Learning to Solaris Audit Data

ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Detecting Anomalous and Unknown Intrusions Against Programs

ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Two state-based approaches to program-based anomaly detection

ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
An Immunological Approach to Change Detection: Algorithms, Analysis and Implications

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Information bounds and quick detection of parameter changes in stochastic systems

IEEE Transactions on Information Theory

Model-carrying code: a practical approach for safe execution of untrusted applications

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Attack profiles to derive data observations, features, and characteristics of cyber attacks

Information-Knowledge-Systems Management
A comparative evaluation of two algorithms for Windows Registry Anomaly Detection

Journal of Computer Security
Decoding efficiency of the MAP and the max-log MAP algorithm as a strategy in anomaly-based intrusion detection systems

CompSysTech '07 Proceedings of the 2007 international conference on Computer systems and technologies
Formal architectural models for agent-based service systems

International Journal of Computer Applications in Technology
Intrusion Prevention in Information Systems: Reactive and Proactive Responses

Journal of Management Information Systems
Selecting and Improving System Call Models for Anomaly Detection

DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
A Framework for Large-Scale Detection of Web Site Defacements

ACM Transactions on Internet Technology (TOIT)
A cost-based analysis of intrusion detection system configuration under active or passive response

Decision Support Systems
Modular behavior profiles in systems with shared libraries (short paper)

ICICS'06 Proceedings of the 8th international conference on Information and Communications Security
SoIDPS: sensor objects-based intrusion detection and prevention system and its implementation

CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
A comprehensive approach to anomaly detection in relational databases

DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
Anomaly detection in computer security and an application to file system accesses

ISMIS'05 Proceedings of the 15th international conference on Foundations of Intelligent Systems
On decision support for distributed systems protection: A perspective based on the human immune response system and epidemiology

International Journal of Information Management: The Journal for Information Professionals

Quantified Score

Hi-index	0.00

Visualization

Abstract

This article describes variants of two state-based intrusion detection algorithms from Michael and Ghosh [2000] and Ghosh et al. [2000], and gives experimental results on their performance. The algorithms detect anomalies in execution audit data. One is a simply constructed finite-state machine, and the other two monitor statistical deviations from normal program behavior. The performance of these algorithms is evaluated as a function of the amount of available training data, and they are compared to the well-known intrusion detection technique of looking for novel n-grams in computer audit data.