Metadata for Anomaly-Based Security Protocol Attack Deduction
IEEE Transactions on Knowledge and Data Engineering
MORPHEUS: motif oriented representations to purge hostile events from unlabeled sequences
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Monitoring of Timing Constraints with Confidence Threshold Requirements
IEEE Transactions on Computers
An intrusion detection method based on system call temporal serial analysis
ICIC'07 Proceedings of the intelligent computing 3rd international conference on Advanced intelligent computing theories and applications
A probabilistic method for detecting anomalous program behavior
WISA'04 Proceedings of the 5th international conference on Information Security Applications
On random-inspection-based intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
We introduce a new method for detecting intrusionsbased on the temporal behavior of applications. It buildson an existing method of application intrusion detectiondeveloped at the University of New Mexico that uses asystem call sequence as a signature. Intrusions aredetected by comparing the signature of the intrusion andthat of the normal application. But when the system callsequences generated by the intrusion and the normalapplication are sufficiently similar, this method cannotwork. By extending system call signature to incorporatetemporal information related to the application, we forma richer signature. Analysis shows that the temporalbehavior for many applications is relatively stable. Weexclude high variance data when creating a normaldatabase to characterize an application with a temporalsignature. It can then be the basis for future comparisonsin an intrusion detection system. This paper discussesexperiments that test the effectiveness of the temporalsignature on different applications, alternative intrusions,and in various environments. The results show that bychoosing appropriate analysis methods andexperimentally adjusting the parameters, intrusions arereadily detected. Finally, we give some comparisonsbetween the temporal signature method and the systemcall method.