Abstract
Analysis of system call sequences generated by privileged programs has been proven to be an effective way of detecting intrusions. There are many approaches of analyzing system call sequences including N-grams, rule induction, finite automata, and Hidden Markov Models. Among these techniques use of finite automata has the advantage of analyzing whole sequences without imposing heavy load to the system. There have been various studies on how to construct finite automata modeling normal behavior of privileged programs. However, previous studies had disadvantages of either constructing finite automata manually or requiring system information other than system calls. In this paper we present fully automatized algorithms to construct finite automata recognizing sequences of normal behaviors and rejecting those of abnormal behaviors without requiring system information other than system calls. We implemented our algorithms and experimented with well-known data sets of system call sequences. The results of the experiments show the efficiency and effectiveness of our system.
This work was supported partly by the Brain Korea 21 Project and partly by the Institute of Information Technology Assessment research project C1-2002-088-0-3.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Cormen, T., Leiserson, C., Rivest, R., Stein, C.: Introduction to Algorithms, 2nd edn., pp. 350–355. MIT Press, Cambridge (2001)
Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 240– 250 (1992)
Denning, D.: An Intrusion Detection Model. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 119–131 (May 1986)
Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)
Gusfield, D.: Algorithms on Strings, Trees, and Sequences, pp. 332–350. Cambridge University Press, Cambridge (1997)
Hofmeyr, S., Forrest, S.: Intrusion Detection using Sequence of System Calls. Journal of Computer Security 6, 151–180 (1998)
Javitz, H., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 1991)
Kosoresow, A.: Intrusion Detection via System Call Traces. IEEE Software 14(5), 35–42 (1997)
Lankewicz, L., Benard, M.: Real Time Anomaly Detection using a Nonparametric Pattern Recognition Approach. In: Proceedings of the Seventh Annual Computer Security Applications Conference, San Antonio, TX (December 1991)
Lunt, T., Tamaru, A., Gilham, F.: IDES: A Progress Report. In: Proceedings of the Sixth Annual Computer Security Applications Conference, Tucson, AZ (December 1990)
Me, L.: GASSATA: A Genetic Algorithm as an Alternative Tool or Security Audit Trails Analysis. In: First International Workshop on the Recent Advances in Intrusion Detection, Louvain-la-Neuve, Belgium (September 1998)
Sekar, R., Bendre, M.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceeding of the 2001 IEEE Symposium on Security and Privacy, pp. 144–155 (2001)
Setubal, J.C., Meidanis, J.: Introduction to Computational Molecular Biology, pp. 47–80. PWS Publishing Company (1997)
Smaha, S.: Haystack: An Intrusion Detection System. In: Proceedings of the Fourth IEEE Aerospace Computer Security Applications Conference, Orlando, FL (December 1988)
Vilo, J.: Discovering Frequent Patterns from Strings. Department of Computer Science, University of Helsinki, Technical Report C-1998-9 (May 1998)
Wagner, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp.156–159 (2001)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions using System Calls: Alternative Data Models. In: Proceedings of the 20th IEEE Symposium on Security and Privacy (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wee, K., Moon, B. (2003). Automatic Generation of Finite State Automata for Detecting Intrusions Using System Call Sequences. In: Gorodetsky, V., Popyack, L., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2003. Lecture Notes in Computer Science, vol 2776. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45215-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-540-45215-7_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40797-3
Online ISBN: 978-3-540-45215-7
eBook Packages: Springer Book Archive