Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report

Authors:
Christoph Michael;Anup K. Ghosh
Affiliations:
-;-
Venue:
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Year:
2000

Citing 5
Cited 4

The weighted majority algorithm

Information and Computation
Efficient learning of typical finite automata from random walks

Information and Computation
Results of the Abbadingo One DFA Learning Competition and a New Evidence-Driven State Merging Algorithm

ICGI '98 Proceedings of the 4th International Colloquium on Grammatical Inference
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Estimation of Dependences Based on Empirical Data: Springer Series in Statistics (Springer Series in Statistics)

Estimation of Dependences Based on Empirical Data: Springer Series in Statistics (Springer Series in Statistics)

Automatic requirement extraction from test cases

RV'10 Proceedings of the First international conference on Runtime verification
A gray-box DPDA-based intrusion detection technique using system-call monitoring

Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Leveraging speculative architectures for runtime program validation

ACM Transactions on Embedded Computing Systems (TECS)
PREC: practical root exploit containment for android devices

Proceedings of the 4th ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.01

Visualization

Abstract

The use of program execution traces to detect intrusions has proven to be a successful strategy. Existing systems that employ this approach are anomaly detectors, meaning that they model a program's normal behavior and signal deviations from that behavior. Unfortunately, many program-based exploits of NT systems use specialized malicious executables. Anomaly detection systems cannot deal with such programs because there is no standard of "normalcy" that they deviate from. This paper is a preliminary report on an attempt to remedy that situation. We report on a prototype system that learns to identify specific program behaviors. Though the goal is to identify malicious behavior, in this paper we report on experiments seeking to identify the behavior of the web-browser, since we did not have enough exemplars of malicious behavior to use as training data. Using automatically generated finite automata, we search for features in execution traces that allow us to distinguish browsers from other programs. In our experiments, we find that this technique does, in fact, allow us to distinguish traces Internet Explorer from traces of programs that are not web browsers, after training with Netscape and a different set of non-browsers.