Introduction to statistical pattern recognition (2nd ed.)
Introduction to statistical pattern recognition (2nd ed.)
Intrusion detection for distributed applications
Communications of the ACM
Communications of the ACM
Characterizing the behavior of a program using multiple-length N-grams
Proceedings of the 2000 workshop on New security paradigms
Adaptive Intrusion Detection: A Data Mining Approach
Artificial Intelligence Review - Issues on the application of data mining
Integrating Data Mining Techniques with Intrusion Detection Methods
Proceedings of the IFIP WG 11.3 Thirteenth International Conference on Database Security: Research Advances in Database and Information Systems Security
Learning Program Behavior Profiles for Intrusion Detection
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Experience with EMERALD to Date
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Statistical Traffic Modeling for Network Intrusion Detection
MASCOTS '00 Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Fixed- vs. variable-length patterns for detecting suspicious process behavior
Journal of Computer Security
Intrusion detection using sequences of system calls
Journal of Computer Security
ADMIT: anomaly-based data mining for intrusions
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
NetHost-sensor: Monitoring a target host's application via system calls
Information Security Tech. Report
Attack profiles to derive data observations, features, and characteristics of cyber attacks
Information-Knowledge-Systems Management
Agent-oriented network intrusion detection system using data mining approaches
International Journal of Agent-Oriented Software Engineering
Seeing the invisible: forensic uses of anomaly detection and machine learning
ACM SIGOPS Operating Systems Review
ACM Computing Surveys (CSUR)
Selecting and Improving System Call Models for Anomaly Detection
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Intrusion detection and identification system using data mining and forensic techniques
IWSEC'07 Proceedings of the Security 2nd international conference on Advances in information and computer security
Use of dimensionality reduction for intrusion detection
ICISS'07 Proceedings of the 3rd international conference on Information systems security
Applying mining fuzzy association rules to intrusion detection based on sequences of system calls
ICCNMC'05 Proceedings of the Third international conference on Networking and Mobile Computing
A fast host-based intrusion detection system using rough set theory
Transactions on Rough Sets IV
| Hi-index | 0.00 |
This paper investigates the use of sequences of system calls for classifying intrusions and faults induced by privileged processes in Unix. Classification is an essential capability for responding to an anomaly (attack or fault), since it gives the ability to associate appropriate responses to each anomaly type. Previous work using the well known dataset from the University of New Mexico (UNM) has demonstrated the usefulness of monitoring sequences of system calls for detecting anomalies induced by processes corresponding to several Unix Programs, such as sendmail, lpr, ftp, etc. Specifically, previous work has shown that the Anomaly Count of a running process, i.e., the number of sequences spawned by the process which are not found in the corresponding dictionary of normal activity for the Program, is a valuable feature for anomaly detection. To achieve Classification, in this paper we introduce the concept of Anomaly Dictionaries, which are the sets of anomalous sequences for each type of anomaly. It is verified that Anomaly Dictionaries for the UNM's sendmail Program have very little overlap, and can be effectively used for Anomaly Classification. The sequences in the Anomalous Dictionary enable a description of Self for the Anomalies, analogous to the definition of Self for Privileged Programs given by the Normal Dictionaries. The dependence of Classification Accuracy with sequence length is also discussed. As a side result, it is also shown that a hybrid scheme, combining the proposed classification strategy with the original Anomaly Counts can lead to a substantial improvement in the overall detection rates for the sendmail dataset. The methodology proposed is rather general, and can be applied to any situation where sequences of symbols provide an effective characterization of a phenomenon.