Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2000: Recent Advances in Intrusion Detection pp 93–109Cite as

A Real-Time Intrusion Detection System Based on Learning Program Behavior

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 1907))

Abstract

In practice, most computer intrusions begin by misusing programs in clever ways to obtain unauthorized higher levels of privilege. One effective way to detect intrusive activity before system damage is perpetrated is to detect misuse of privileged programs in real-time. In this paper, we describe three machine learning algorithms that learn the normal behavior of programs running on the Solaris platform in order to detect unusual uses or misuses of these programs. The performance of the three algorithms has been evaluated by an independent laboratory in an off-line controlled evaluation against a set of computer intrusions and normal usage to determine rates of correct detection and false alarms. A real-time system has since been developed that will enable deployment of a program-based intrusion detection system in a real installation.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Michèle Basseville and Igor V. Nikiforov. Detection of Abrupt Changes-Theory and Application. Prentice-Hall, Inc., Englewood Cliffs, NJ, 1993.

    Google Scholar 

  2. B. Pearlmutter C. Warrender, S. Forrest. Detecting intrusions using system calls: Alternative data models. In 1999 IEEE Symposium on Security and Privacy, pages 133–145, 1999.

    Google Scholar 

  3. B. Pearlmutter C. Warrender, S. Forrest. Detecting intrusions using system calls: Alternative data models. In 1999 IEEE Symposium on Security and Privacy, pages 133–145, 1999.

    Google Scholar 

  4. P. D’haeseleer, S. Forrest, and P. Helman. An immunological approach to change detection: Algorithms, analysis and implications. In IEEE Symposium on Security and Privacy, 1996.

    Google Scholar 

  5. J. L. Elman Finding structure in time. Cognitive Science, 14:179–211, 1990.

    Article  Google Scholar 

  6. S. Forrest, S. A. Hofmeyr, and A. Somayaji. Computer immunology. Communications of the ACM, 40(10):88–96, October 1997.

    Google Scholar 

  7. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 120–128. IEEE, May 1996.

    Google Scholar 

  8. Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for unix processes. In Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120–128. IEEE Computer Society, IEEE Computer Society Press, May 1996.

    Google Scholar 

  9. Yoav Freund, Michael Kearns, Dana Ron, Ronitt Rubinfeld, Robert E. Schapire, and Linda Sellie. Efficient learning of typical finite automata from random walks. Information and Computation, 138(1):23–48, 10 October 1997.

    Google Scholar 

  10. A. K. Ghosh, A. Schwartzbard, and M. Schatz. Learning program behavior profiles for intrusion detection. In Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring. USENIX Association, April 11–12 1999. To appear.

    Google Scholar 

  11. A. K. Ghosh, J. Wanken, and F. Charron. Detecting anomalous and unknown intrusions against programs. In Proceedings of the 1998 Annual Computer Security Applications Conference (ACSAC’98), December 1998.

    Google Scholar 

  12. M. Kearns and L. G. Valiant. Cryptographic limitations on learning boolean formulae and finite automata. In Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing, pages 433–444, New York, NY, 1989. ACM.

    Google Scholar 

  13. Andrew P. Kosoresow and Steven A. Hofmeyr. Intrusion detection via system call traces. IEEE Software, 14(5):24–42, September/October 1997.

    Google Scholar 

  14. A. P. Kosoresow and S. A. Hofmeyr. Intrusion detection via system call traces. Software, 14(5):35–42, September–October 1997. IEEE Computer Society.

    Google Scholar 

  15. T. L. Lai. Information bounds and quick detection of parameter changes in stochastic systems. IEEE Transactions on Information Theory, 44(7):2917–2929, 1998.

    Article  MATH  Google Scholar 

  16. W. Lee, S. Stolfo, and P. K. Chan. Learning patterns from unix process execution traces for intrusion detection. In Proceedings of AAAI97 Workshop on AI Methods in Fraud and Risk Management, 1997.

    Google Scholar 

  17. L. Rabiner and B.-H. Juang. Fundamentals of Speech Recognition. Prentice Hall (Signal Processing Series), Englewood Cliffs, NJ, 1993.

    Google Scholar 

  18. R. Sekar, Y. Cai, and M. Segal. A specification-based approach for building survivable systems. In Proceedings of the 1998 National Information Systems Security Conference (NISSC’98), pages 338–347, October 1998.

    Google Scholar 

  19. V. N. Vapnik. The Nature of Statistical Learning Theory. Springer, New York, 1995.

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Reliable Software Technologies, 21351 Ridgetop Circle, #400, Dulles, VA, 20166, USA

    Anup K. Ghosh, Christoph Michael & Michael Schatz

Authors
  1. Anup K. Ghosh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christoph Michael
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Schatz
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. France Télécom R & D, 42 Rue des Coutoures, 14000, Caen, France

    Hervé Debar

  2. SUPELEC, BP 28, 35511, Cesson Sevigne Cedex, France

    Ludovic Mé

  3. Department of Computer Science, 2063 Engineering II, University of California at Davis, One Shields Avenue, Davis, CA, 95616-8562, USA

    S. Felix Wu

Rights and permissions

Reprints and permissions

Copyright information

© 2000 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ghosh, A.K., Michael, C., Schatz, M. (2000). A Real-Time Intrusion Detection System Based on Learning Program Behavior. In: Debar, H., Mé, L., Wu, S.F. (eds) Recent Advances in Intrusion Detection. RAID 2000. Lecture Notes in Computer Science, vol 1907. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39945-3_7

Download citation

  • DOI: https://doi.org/10.1007/3-540-39945-3_7

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-41085-0

  • Online ISBN: 978-3-540-39945-2

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation