Advertisement

Automatic Generation of Finite State Automata for Detecting Intrusions Using System Call Sequences

  • Kyubum Wee
  • Byungeun Moon
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2776)

Abstract

Analysis of system call sequences generated by privileged programs has been proven to be an effective way of detecting intrusions. There are many approaches of analyzing system call sequences including N-grams, rule induction, finite automata, and Hidden Markov Models. Among these techniques use of finite automata has the advantage of analyzing whole sequences without imposing heavy load to the system. There have been various studies on how to construct finite automata modeling normal behavior of privileged programs. However, previous studies had disadvantages of either constructing finite automata manually or requiring system information other than system calls. In this paper we present fully automatized algorithms to construct finite automata recognizing sequences of normal behaviors and rejecting those of abnormal behaviors without requiring system information other than system calls. We implemented our algorithms and experimented with well-known data sets of system call sequences. The results of the experiments show the efficiency and effectiveness of our system.

Keywords

Intrusion Detection Normal Behavior Anomaly Detection System Call Finite Automaton 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Cormen, T., Leiserson, C., Rivest, R., Stein, C.: Introduction to Algorithms, 2nd edn., pp. 350–355. MIT Press, Cambridge (2001)zbMATHGoogle Scholar
  2. 2.
    Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 240– 250 (1992)Google Scholar
  3. 3.
    Denning, D.: An Intrusion Detection Model. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 119–131 (May 1986)Google Scholar
  4. 4.
    Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)Google Scholar
  5. 5.
    Gusfield, D.: Algorithms on Strings, Trees, and Sequences, pp. 332–350. Cambridge University Press, Cambridge (1997)zbMATHCrossRefGoogle Scholar
  6. 6.
    Hofmeyr, S., Forrest, S.: Intrusion Detection using Sequence of System Calls. Journal of Computer Security 6, 151–180 (1998)Google Scholar
  7. 7.
    Javitz, H., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 1991)Google Scholar
  8. 8.
    Kosoresow, A.: Intrusion Detection via System Call Traces. IEEE Software 14(5), 35–42 (1997)CrossRefGoogle Scholar
  9. 9.
    Lankewicz, L., Benard, M.: Real Time Anomaly Detection using a Nonparametric Pattern Recognition Approach. In: Proceedings of the Seventh Annual Computer Security Applications Conference, San Antonio, TX (December 1991)Google Scholar
  10. 10.
    Lunt, T., Tamaru, A., Gilham, F.: IDES: A Progress Report. In: Proceedings of the Sixth Annual Computer Security Applications Conference, Tucson, AZ (December 1990)Google Scholar
  11. 11.
    Me, L.: GASSATA: A Genetic Algorithm as an Alternative Tool or Security Audit Trails Analysis. In: First International Workshop on the Recent Advances in Intrusion Detection, Louvain-la-Neuve, Belgium (September 1998)Google Scholar
  12. 12.
    Sekar, R., Bendre, M.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceeding of the 2001 IEEE Symposium on Security and Privacy, pp. 144–155 (2001)Google Scholar
  13. 13.
    Setubal, J.C., Meidanis, J.: Introduction to Computational Molecular Biology, pp. 47–80. PWS Publishing Company (1997)Google Scholar
  14. 14.
    Smaha, S.: Haystack: An Intrusion Detection System. In: Proceedings of the Fourth IEEE Aerospace Computer Security Applications Conference, Orlando, FL (December 1988)Google Scholar
  15. 15.
    Vilo, J.: Discovering Frequent Patterns from Strings. Department of Computer Science, University of Helsinki, Technical Report C-1998-9 (May 1998)Google Scholar
  16. 16.
    Wagner, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp.156–159 (2001)Google Scholar
  17. 17.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions using System Calls: Alternative Data Models. In: Proceedings of the 20th IEEE Symposium on Security and Privacy (1999)Google Scholar
  18. 18.

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Kyubum Wee
    • 1
  • Byungeun Moon
    • 2
  1. 1.Ajou UniversitySuwonS. Korea
  2. 2.SitecSoftSeoulS. Korea

Personalised recommendations