Intrusion Detection Using Variable-Length Audit Trail Patterns

  • Andreas Wespi
  • Marc Dacier
  • Hervé Debar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1907)

Abstract

Audit trail patterns generated on behalf of a Unix process can be used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.

Keywords

Intrusion detection Teiresias pattern discovery pattern matching variable-length patterns C2 audit trail functionality verification tests 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Andreas Wespi
    • 1
  • Marc Dacier
    • 1
  • Hervé Debar
    • 1
  1. 1.IBM Research, Zurich Research LaboratoryRüschlikonSwitzerland

Personalised recommendations