Abstract
Local computer networks at major universities are routinely plagued by self-replicating malicious software. Due to the intensive exchange of data and information within the network, when modern viruses, worms and malicious software are introduced they propagate very quickly, leaving little or no time for human intervention. Such environments are ideal for the implementation of the automatic IDS described hereins. It employs the Dynamic Code Analyzer (DCA) that detects malicious software during run time by monitoring system calls invoked by individual processes and detecting subsequences (patterns) of system calls indicative of attempted self-replication. A similar approach, also utilizing system calls, is developed for the detection of network worms. Both techniques have the potential for detecting previously unknown malicious software and significantly reducing computer resource utilization. Unfortunately, in comparison with traditional signature based antivirus software, both approaches have a much higher rate of false alarms. To address this short coming the authors propose a method to search for evidence of the alarm propagation within the network. This is achieved by aggregating alarms from individual hosts at a server where these alarms can be correlated, resulting in a highly accurate detection capability. Such a system, implementing the presented technology, and capable of significantly reducing the downtime of networked computers owned by students and faculty, is being implemented at the computer network at the Kazakh National University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bernaschi, M., Grabrielli, E., Mancini, L.: Operating System Enhancements to Prevent the Misuse of System Calls. In: Proceedings of the ACM Conference on Computer and Communications Security (June 2000)
Bowen, T., Segal, M., Sekar, R., On preventing intrusions by process behavior monitoring In: Proceedings of the Workshop on Intrusion Detection and Network Monitoring (May 1999)
Durante, A., Di Pietro, R., Mancini, L.V.: Formal Specification for Fast Automatic IDS Training. In: Abdallah, A.E., Ryan, P.Y.A., Schneider, S. (eds.) FASec 2002. LNCS, vol 2629, pp. 191–204. Springer, Heidelberg (2003)
Gottman, J.M., Kumar, R.A.: Sequential analysis. A guide for behavioral researchers. Cambridge University Press, Cambridge (1990)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6, 151–180 (1998)
Kang, D., Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings of 6th IEEE Systems Man and Cybernetics Information Assurance Workshop (June 2005)
Krügel, C., Mutz, K., Valeur, K., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollman, D. (eds.) ESORICS 2003. LNCS, vol. 2808, Springer, Heidelberg (2003)
Liu, A., Cheryl, M.: A Comparison of System Call Feature Representations for Insider Threat Detection. In: Proceedings of the 6th IEEE Information Assurance Workshop (May 2005)
Skormin, V., Volynkin, A., Summerville, D., Moronski, J.: Run-Time Detection of Malicious Self-Replication in Binary Executables. Journal of Computer Security 15 (2007)
Stolfo, S., Lee, W., Eskin, E.: Modeling system calls for ID with Dynamic Window Sizes. Proceedings of the DISCEX II (June 2001)
Tandon, G., Chan, P.K. Learning Useful System Call Attributes for Anomaly Detection. In: Proceedings of the FLAIRS Conference (June 2005)
Tokhtabayev, A.G., Skormin, A.G.: Non-Stationary Markov Models and Anomaly Propagation Analysis in IDS. In: Proceedings of IAS’07 (to appear)
Xu, M., Chen, C., Ying, J.: Anomaly detection based on system call classification. Journal of Software 15, 391–403 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tokhtabayev, A., Altaibek, A., Skormin, V., Tukeyev, U. (2007). A Novel Intrusion Detection System for a Local Computer Network. In: Gorodetsky, V., Kotenko, I., Skormin, V.A. (eds) Computer Network Security. MMM-ACNS 2007. Communications in Computer and Information Science, vol 1. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73986-9_27
Download citation
DOI: https://doi.org/10.1007/978-3-540-73986-9_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73985-2
Online ISBN: 978-3-540-73986-9
eBook Packages: Computer ScienceComputer Science (R0)