Intrusion Detection Using Variable-Length Audit Trail Patterns
Purchase on Springer.com
$29.95 / €24.95 / £19.95*
* Final gross prices may vary according to local VAT.
Audit trail patterns generated on behalf of a Unix process can be used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. , which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.
- A. Brazma, I. Jonassen, I. Eidhammer, and D. Gilbert. Approaches to the automatic discovery of patterns in biosequences. Technical report, Department of Informatics, University of Bergen, 1995.
- Hervé Debar, Marc Dacier, Medhi Nassehi, and Andreas Wespi. Fixed vs. variable-length patterns for detecting suspicious process behavior. In Jean-Jacques Quisquater, Yves Deswarte, Catherine Meadows, and Dieter Gollmann, (editors), Computer Security-ESORICS 98, 5th European Symposium on Research in Computer Security, LNCS, pages 1–15, Louvain-la-Neuve, Belgium, September 1998. Springer.
- Hervé Debar, Marc Dacier, and Andreas Wespi. Reference Audit Information Generation for Intrusion Detection Systems. In Reinhard Posch and György Papp, (editors), Information Systems Security, Proceedings of the 14th International Information Security Conference IFIP SEC’98, pages 405–417, Vienna, Austria and Budapest, Hungaria, August 31–September 4 1998.
- Hervé Debar, Marc Dacier, and Andreas Wespi. Towards a taxonomy of intrusion detection systems. Computer Networks, 31(8):805–822, April 1999. Special issue on Computer Network Security.
- Hervé Debar, Marc Dacier, Andreas Wespi, and Stefan Lampart. A workbench for intrusion detection systems. Technical Report RZ 6519, IBM Zurich Research Laboratory, Säumerstrasse 4, CH-8803 Rüschlikon, Switzerland, March 1998.
- Patrick D’haeseleer, Stephanie Forrest, and Paul Helman. An immunological approach to change detection: algorithms, analysis, and implications. In Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, pages 110–119. IEEE Computer Society, IEEE Computer Society Press, May 1996.
- Stephanie Forrest, Steven A. Hofmeyr, and Anil Somayaji. Computer immunology. Communications of the ACM, 40(10):88–96, October 1997.
- Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for Unix processes. In Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120–128. IEEE Computer Society, IEEE Computer Society Press, May 1996.
- Stephanie Forrest, Alan S. Perelson, Lawrence Allen, and Rajesh Cherukuri. Self-nonself discrimination. In Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, pages 202–212. IEEE Computer Society, IEEE Computer Society Press, May 1994.
- Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151–180, 1998.
- Andrew P. Kosoresow and Steven A. Hofmeyr. Intrusion detection via system call traces. IEEE Software, pages 35–42, September/October 1997.
- Isidore Rigoutsos and Aris Floratos. Combinatorial pattern discovery in biological sequences. Bioinformatics, 14(1):55–67, 1998. CrossRef
- Andreas Wespi, Marc Dacier, and Hervé Debar. An intrusion-detection system based on the Teiresias pattern-discovery algorithm. In Urs E. Gattiker, Pia Pedersen, and Karsten Petersen, (editors), Proceedings of EICAR’ 99, Aalborg, Denmark, February 1999. European Institute for Computer Anti-Virus Research. ISBN 87-987271-0-9.
- Andreas Wespi, Marc Dacier, Hervé Debar, and Mehdi M. Nassehi. Audit trail pattern analysis for detecting suspicious process behavior. In Proceedings of RAID 98, Workshop on Recent Advances in Intrusion Detection, Louvain-la-Neuve, Belgium, September 1998.
- Andreas Wespi and Hervé Debar. Building an intrusion-detection system to detect suspicious process behavior. In Proceedings of RAID 99, Workshop on Recent Advances in Intrusion Detection, West Lafayette, Indiana, USA, September 1999.
- Intrusion Detection Using Variable-Length Audit Trail Patterns
- Book Title
- Recent Advances in Intrusion Detection
- Book Subtitle
- Third International Workshop, RAID 2000 Toulouse, France, October 2–4, 2000 Proceedings
- pp 110-129
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg
- Additional Links
- Intrusion detection
- pattern discovery
- pattern matching
- variable-length patterns
- C2 audit trail
- functionality verification tests
- Industry Sectors
- eBook Packages
- Editor Affiliations
- 4. France Télécom R & D
- 5. SUPELEC
- 6. Department of Computer Science, 2063 Engineering II, University of California at Davis
- Author Affiliations
- 7. IBM Research, Zurich Research Laboratory, Säumerstrasse 4, CH-8803, Rüschlikon, Switzerland
To view the rest of this content please follow the download PDF link above.