A Novel Intrusion Detection System for a Local Computer Network
Local computer networks at major universities are routinely plagued by self-replicating malicious software. Due to the intensive exchange of data and information within the network, when modern viruses, worms and malicious software are introduced they propagate very quickly, leaving little or no time for human intervention. Such environments are ideal for the implementation of the automatic IDS described hereins. It employs the Dynamic Code Analyzer (DCA) that detects malicious software during run time by monitoring system calls invoked by individual processes and detecting subsequences (patterns) of system calls indicative of attempted self-replication. A similar approach, also utilizing system calls, is developed for the detection of network worms. Both techniques have the potential for detecting previously unknown malicious software and significantly reducing computer resource utilization. Unfortunately, in comparison with traditional signature based antivirus software, both approaches have a much higher rate of false alarms. To address this short coming the authors propose a method to search for evidence of the alarm propagation within the network. This is achieved by aggregating alarms from individual hosts at a server where these alarms can be correlated, resulting in a highly accurate detection capability. Such a system, implementing the presented technology, and capable of significantly reducing the downtime of networked computers owned by students and faculty, is being implemented at the computer network at the Kazakh National University.
Keywordsdecision-making under uncertainty utility possibility theory inclusion index comonotone fuzzy sets Choquet integral
Unable to display preview. Download preview PDF.
- 1.Bernaschi, M., Grabrielli, E., Mancini, L.: Operating System Enhancements to Prevent the Misuse of System Calls. In: Proceedings of the ACM Conference on Computer and Communications Security (June 2000)Google Scholar
- 2.Bowen, T., Segal, M., Sekar, R., On preventing intrusions by process behavior monitoring In: Proceedings of the Workshop on Intrusion Detection and Network Monitoring (May 1999)Google Scholar
- 3.Durante, A., Di Pietro, R., Mancini, L.V.: Formal Specification for Fast Automatic IDS Training. In: Abdallah, A.E., Ryan, P.Y.A., Schneider, S. (eds.) FASec 2002. LNCS, vol 2629, pp. 191–204. Springer, Heidelberg (2003)Google Scholar
- 4.Gottman, J.M., Kumar, R.A.: Sequential analysis. A guide for behavioral researchers. Cambridge University Press, Cambridge (1990)Google Scholar
- 5.Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6, 151–180 (1998)Google Scholar
- 6.Kang, D., Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings of 6th IEEE Systems Man and Cybernetics Information Assurance Workshop (June 2005)Google Scholar
- 7.Krügel, C., Mutz, K., Valeur, K., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollman, D. (eds.) ESORICS 2003. LNCS, vol. 2808, Springer, Heidelberg (2003)Google Scholar
- 8.Liu, A., Cheryl, M.: A Comparison of System Call Feature Representations for Insider Threat Detection. In: Proceedings of the 6th IEEE Information Assurance Workshop (May 2005)Google Scholar
- 9.Skormin, V., Volynkin, A., Summerville, D., Moronski, J.: Run-Time Detection of Malicious Self-Replication in Binary Executables. Journal of Computer Security 15 (2007)Google Scholar
- 10.Stolfo, S., Lee, W., Eskin, E.: Modeling system calls for ID with Dynamic Window Sizes. Proceedings of the DISCEX II (June 2001)Google Scholar
- 11.Tandon, G., Chan, P.K. Learning Useful System Call Attributes for Anomaly Detection. In: Proceedings of the FLAIRS Conference (June 2005)Google Scholar
- 12.Tokhtabayev, A.G., Skormin, A.G.: Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS. In: Proceedings of IAS’07 (to appear)Google Scholar