Abstract
In this paper, we, as well as Eskin, Lee, Stolfo [7] propose a method of prediction model. In their method, the program was characterized with both the order and the kind of system calls. We focus on a non-sequential feature of system calls given from a program. We apply a Bayesian network to predicting the N-th system call from the sequence of system calls of the length Nā1. In addition, we show that a correlation between several kinds of system calls can be expressed by using our method, and can characterize a program behavior.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Beyond-Securityās SecuriTeam.com. Writing Buffer Overflow Exploits - a Tutorial for Beginners, http://www.securiteam.com/securityreviews/5OP0B006UQ.html (accessed 2003-09-05)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: The 1996 IEEE Symposium on Computer Security and Privacy (1996)
Forrest, S., Hofmeyr, S.A., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer SecurityĀ 6, 151ā180 (1998)
Helmer, G., Wong, J., Honavar, V., Miller, L.: Intelligent agents for intrusion detection. In: IEEE Information Technology Conference, September 1998, pp. 121ā124 (1998)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy (1999)
Marceau, C.: Characterizing the behavior of a program using multiple-length n-grams. In: Proceedings of the New Security Paradigms Workshop 2000 (2000)
Eskin, E., Lee, W., Stolfo, S.: Modeling system call for intrusion detection using dynamic window sizes. In: Proceedings of the 2001 DARPA Information Survivability Conference & Exposition, Anaheim, CA (June 2001)
Li, S., Jones, A.: Temporal Signatures for Intrusion Detection. In: 17th Annual Computer Security Applications Conference, December 10-14 (2001)
Kosoresow, A.P., Hofmeyr, S.A.: Intrusion Detection via System Call Traces. IEEE SoftwareĀ 14, 24ā42 (1997)
Sekar, R., Bendre, M., Bollineni, P., Dhurjati, D.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceedings of the IEEE Symposium on Security and Privacy (2001)
Liao, Y., Rao Vemuri, V.: Using Text Categorization Techniques for Intrusion Detection. In: Proceedings of the 11th USENIX Security Symposium (August 2002)
Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. In: Proceedings of IEEE Symposium on Security & Privacy, pp. 188ā201 (2002)
Lee, W., Stolfo, S., Chan, P.: Learning Patterns from Unix Process Execution Traces for Intrusion Detection. In: Proceedings of AAAI 1997 Workshop on AI Methods in Fraud and Risk Management, pp. 50ā56 (1997)
Lee, W., Xiang, D.: Information-Theoretic Measures for Anomaly Detection. In: Proceedings of The 2001 IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001)
Oka, M., Abe, H., Oyama, Y., Kato, K.: Intrusion Detection System Based on Static Analysis and Dynamic Detection. In: Proceedings of Forum on Information Technology (FIT 2003), Japan (September 2003)
Wagner, D., Soto, P.: Mimicry Attacks on HostBased Intrusion Detection Systems. In: Proceedings of 9th ACM Conference on Computer and Communications Security (November 2002)
Motomura, Y., Hara, I.: User Model Construction System using Probabilistic Networks, http://staff.aist.go.jp/y.motomura/ipa/ (accessed 2003-09-05)
Conover, W.J.: Practical Nonparametric Statistics. John Wiley & Sons, Inc., New York (1971)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tatara, K., Tabata, T., Sakurai, K. (2005). A Probabilistic Method for Detecting Anomalous Program Behavior. In: Lim, C.H., Yung, M. (eds) Information Security Applications. WISA 2004. Lecture Notes in Computer Science, vol 3325. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31815-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-540-31815-6_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24015-0
Online ISBN: 978-3-540-31815-6
eBook Packages: Computer ScienceComputer Science (R0)