Behavioral Distance Measurement Using Hidden Markov Models

  • Debin Gao
  • Michael K. Reiter
  • Dawn Song
Conference paper

DOI: 10.1007/11856214_2

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4219)
Cite this paper as:
Gao D., Reiter M.K., Song D. (2006) Behavioral Distance Measurement Using Hidden Markov Models. In: Zamboni D., Kruegel C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg

Abstract

The behavioral distance between two processes is a measure of the deviation of their behaviors. Behavioral distance has been proposed for detecting the compromise of a process, by computing its behavioral distance from another process executed on the same input. Provided that the two processes are diverse and so unlikely to fall prey to the same attacks, an increase in behavioral distance might indicate the compromise of one of them. In this paper we propose a new approach to behavioral distance calculation using a new type of Hidden Markov Model. We also empirically evaluate the intrusion detection capability of our proposal when used to measure the distance between the system-call behaviors of diverse web servers. Our experiments show that it detects intrusions with substantially greater accuracy and with performance overhead comparable to that of prior proposals.

Keywords

intrusion detection anomaly detection system call behavioral distance 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Debin Gao
    • 1
  • Michael K. Reiter
    • 1
  • Dawn Song
    • 1
  1. 1.Carnegie Mellon University 

Personalised recommendations