IEEE Transactions on Software Engineering - Special issue on computer security and privacy
A short course on computer viruses (2nd ed.)
A short course on computer viruses (2nd ed.)
Mining in a data-flow environment: experience in network intrusion detection
KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
Efficient Bayesian parameter estimation in large discrete domains
Proceedings of the 1998 conference on Advances in neural information processing systems II
NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach
Proceedings of the 2001 workshop on New security paradigms
Simple, state-based approaches to program-based anomaly detection
ACM Transactions on Information and System Security (TISSEC)
Anomaly Detection over Noisy Data using Learned Probability Distributions
ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Masquerade Detection Using Truncated Command Lines
DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Designing and implementing a family of intrusion detection systems
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Intrusion detection using sequences of system calls
Journal of Computer Security
Detecting malicious software by monitoring anomalous windows registry accesses
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Proceedings of the 4th ACM workshop on Recurring malcode
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Determining malicious executable distinguishing attributes and low-complexity detection
Journal in Computer Virology
Virtual machine monitor-based lightweight intrusion detection
ACM SIGOPS Operating Systems Review
A framework for post-event timeline reconstruction using neural networks
Digital Investigation: The International Journal of Digital Forensics & Incident Response
HotPar'12 Proceedings of the 4th USENIX conference on Hot Topics in Parallelism
Toward supervised anomaly detection
Journal of Artificial Intelligence Research
Hi-index | 0.00 |
We present a component anomaly detector for a host-based intrusion detection system (IDS) for Microsoft Windows. The core of the detector is a learning-based anomaly detection algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. We present and compare two anomaly detection algorithms for use in our IDS system and evaluate their performance. One algorithm called PAD, for Probabilistic Anomaly Detection, is based upon a probability density estimation while the second uses the Support Vector Machine framework. The key idea behind the detector is to first train a model of normal Registry behavior on a Windows host, even when noise may be present in the training data, and use this model to detect abnormal Registry accesses. At run-time the model is used to check each access to the Registry in real-time to determine whether or not the behavior is abnormal and possibly corresponds to an attack. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms. We show that the probabilistic anomaly detection algorithm exhibits better performance in accuracy and in computational complexity over the support vector machine implementation under three different kernel functions.