Abstract
In practice, most computer intrusions begin by misusing programs in clever ways to obtain unauthorized higher levels of privilege. One effective way to detect intrusive activity before system damage is perpetrated is to detect misuse of privileged programs in real-time. In this paper, we describe three machine learning algorithms that learn the normal behavior of programs running on the Solaris platform in order to detect unusual uses or misuses of these programs. The performance of the three algorithms has been evaluated by an independent laboratory in an off-line controlled evaluation against a set of computer intrusions and normal usage to determine rates of correct detection and false alarms. A real-time system has since been developed that will enable deployment of a program-based intrusion detection system in a real installation.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Michèle Basseville and Igor V. Nikiforov. Detection of Abrupt Changes-Theory and Application. Prentice-Hall, Inc., Englewood Cliffs, NJ, 1993.
B. Pearlmutter C. Warrender, S. Forrest. Detecting intrusions using system calls: Alternative data models. In 1999 IEEE Symposium on Security and Privacy, pages 133–145, 1999.
B. Pearlmutter C. Warrender, S. Forrest. Detecting intrusions using system calls: Alternative data models. In 1999 IEEE Symposium on Security and Privacy, pages 133–145, 1999.
P. D’haeseleer, S. Forrest, and P. Helman. An immunological approach to change detection: Algorithms, analysis and implications. In IEEE Symposium on Security and Privacy, 1996.
J. L. Elman Finding structure in time. Cognitive Science, 14:179–211, 1990.
S. Forrest, S. A. Hofmeyr, and A. Somayaji. Computer immunology. Communications of the ACM, 40(10):88–96, October 1997.
S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 120–128. IEEE, May 1996.
Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for unix processes. In Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120–128. IEEE Computer Society, IEEE Computer Society Press, May 1996.
Yoav Freund, Michael Kearns, Dana Ron, Ronitt Rubinfeld, Robert E. Schapire, and Linda Sellie. Efficient learning of typical finite automata from random walks. Information and Computation, 138(1):23–48, 10 October 1997.
A. K. Ghosh, A. Schwartzbard, and M. Schatz. Learning program behavior profiles for intrusion detection. In Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring. USENIX Association, April 11–12 1999. To appear.
A. K. Ghosh, J. Wanken, and F. Charron. Detecting anomalous and unknown intrusions against programs. In Proceedings of the 1998 Annual Computer Security Applications Conference (ACSAC’98), December 1998.
M. Kearns and L. G. Valiant. Cryptographic limitations on learning boolean formulae and finite automata. In Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing, pages 433–444, New York, NY, 1989. ACM.
Andrew P. Kosoresow and Steven A. Hofmeyr. Intrusion detection via system call traces. IEEE Software, 14(5):24–42, September/October 1997.
A. P. Kosoresow and S. A. Hofmeyr. Intrusion detection via system call traces. Software, 14(5):35–42, September–October 1997. IEEE Computer Society.
T. L. Lai. Information bounds and quick detection of parameter changes in stochastic systems. IEEE Transactions on Information Theory, 44(7):2917–2929, 1998.
W. Lee, S. Stolfo, and P. K. Chan. Learning patterns from unix process execution traces for intrusion detection. In Proceedings of AAAI97 Workshop on AI Methods in Fraud and Risk Management, 1997.
L. Rabiner and B.-H. Juang. Fundamentals of Speech Recognition. Prentice Hall (Signal Processing Series), Englewood Cliffs, NJ, 1993.
R. Sekar, Y. Cai, and M. Segal. A specification-based approach for building survivable systems. In Proceedings of the 1998 National Information Systems Security Conference (NISSC’98), pages 338–347, October 1998.
V. N. Vapnik. The Nature of Statistical Learning Theory. Springer, New York, 1995.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ghosh, A.K., Michael, C., Schatz, M. (2000). A Real-Time Intrusion Detection System Based on Learning Program Behavior. In: Debar, H., Mé, L., Wu, S.F. (eds) Recent Advances in Intrusion Detection. RAID 2000. Lecture Notes in Computer Science, vol 1907. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39945-3_7
Download citation
DOI: https://doi.org/10.1007/3-540-39945-3_7
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41085-0
Online ISBN: 978-3-540-39945-2
eBook Packages: Springer Book Archive