Detecting Manipulated Remote Call Streams
Proceedings of the 11th USENIX Security Symposium
LAD: Localization Anomaly Detection forWireless Sensor Networks
IPDPS '05 Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Papers - Volume 01
Finding Frequent Patterns in a Large Sparse Graph*
Data Mining and Knowledge Discovery
Factor-analysis based anomaly detection and clustering
Decision Support Systems
An adaptive expert system approach for intrusion detection
International Journal of Security and Networks
GADDI: distance index based subgraph matching in biological networks
Proceedings of the 12th International Conference on Extending Database Technology: Advances in Database Technology
Learning unknown attacks - a start
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Formal analysis of intrusion detection systems for high speed networks
ISPACT'10 Proceedings of the 9th WSEAS international conference on Advances in e-activities, information security and privacy
Detecting the deviations of privileged process execution
ICN'05 Proceedings of the 4th international conference on Networking - Volume Part II
On random-inspection-based intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hi-index | 0.00 |
This paper introduces an automated technique for constructing valid behavior specifications of programs (at the system call level) that are independent of system vulnerabilities and are highly effective in identifying intrusions. The technique employs a machine learning method, Inductive Logic Programming (ILP), for synthesizing first order logic formulas that describe the valid operations of a program from the normal runs of the program. ILP, backed by theories and techniques extended from computational logic, allows the use of complex domain-specific background knowledge in the learning process to produce sound and consistent knowledge. A specification induction engine has been developed by extending an existing ILP tool and has been used to construct specifications for several (10) privileged programs in Unix. Coupling with rich background knowledge in systems and security, the prototype induction engine generates human understandable and analyzable specifications that are as good as those specified by a human. Preliminary experiments with existing attacks show that the generated specifications are highly effective in detecting attacks that subvert privileged programs to gain unauthorized accesses to resources.