Learning Program Behavior for Run-Time Software Assurance

  • Hira Agrawal
  • Clifford Behrens
  • Balakrishnan Dasarathy
  • Leslie Lee Fook
Conference paper
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 63)


In this paper we present techniques for machine learning of program behavior by observing application level events to support runtime anomaly detection. We exploit two key relationships among event sequences: their edit distance proximity and state information embedded in event data. We integrate two techniques that employ these relationships to reduce both false positives and false negatives. Our techniques consider event sequences in their entirety, and thus better leverage correlations among events over longer time periods than most other techniques that use small, fixed length sliding windows over such sequences. We employ cluster signatures that minimize adverse effects of noise in anomaly detection, thereby further reducing false positives. We leverage state information in event data to summarize loop structures in sequences which, in turn, leads to better classification of program behavior. We have performed initial validations of these techniques using Asterisk®, a widely deployed, open source digital PBX.


program behavior learning unsupervised learning anomaly detection intrusion detection automata generation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Asterisk open source digital PBX,
  2. 2.
    Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow Anomaly Detection. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 48–62 (2006)Google Scholar
  3. 3.
    Cook, J., Wolf, A.L.: Discovering Models of Software Processes from Event-Based Data. ACM Trans. Software Engineering and Methodology 7(3), 215–249 (1998)CrossRefGoogle Scholar
  4. 4.
    Gold, E.: Language identification in the limit. Inf. Control 10, 447–474 (1967)zbMATHCrossRefGoogle Scholar
  5. 5.
    Gusfield, D.: Algorithms on Strings, Trees, and Sequences: Computer Science and Computational Biology. Cambridge University Press, Cambridge (1997)zbMATHCrossRefGoogle Scholar
  6. 6.
    Hofmeyr, S.A., Somayaji, A., Forrest, S.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)Google Scholar
  7. 7.
    Ko, C.: Logic induction of valid behavior specifications for intrusion detection. In: Proc. IEEE Symposium on Security and Privacy (2000)Google Scholar
  8. 8.
    Lazarevic, A., Ertoz, L., Ozgur, A., Srivastava, J., Kumar, V.: A comparative study of anomaly detection schemes in network intrusion detection. In: SDM (2003)Google Scholar
  9. 9.
    Lindqvist, U., Porras, P.A.: eXpert-BSM: A Host-based Intrusion Detection Solution for Sun Solaris. In: Proc.17th Annual Computer Security Applications Conference, pp. 240–251 (2001)Google Scholar
  10. 10.
    Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology 48, 443–453 (1970)CrossRefGoogle Scholar
  11. 11.
    Tandon, G., Chan, P.: Learning Rules from System Call Arguments and Sequences for Anomaly Detection. In: Workshop on Data Mining for Computer Security, pp. 20–29 (2003)Google Scholar
  12. 12.
    Wee, K., Moon, B.: Automatic generation of finite state automata for detecting intrusions using system call sequences. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 206–216. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Hira Agrawal
    • 1
  • Clifford Behrens
    • 1
  • Balakrishnan Dasarathy
    • 1
  • Leslie Lee Fook
    • 2
  1. 1. PiscatawayUSA
  2. 2.Port of SpainTrinidad

Personalised recommendations