Analyzing the Performance of Program Behavior Profiling for Intrusion Detection

  • Anup K. Ghosh
  • Aaron Schwartzbard
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 43)


This paper presents an analysis of a simple equality matching algorithm that detects intrusions against systems by profiling the behavior of programs The premise for this work is that abnormally behaving programs are a primary indicator of computer intrusions. The analysis uses data collected by the Air Force Research Laboratory and provided by the MIT Lincoln Laboratory under the 1998 DARPA Intrusion Detection Evaluation program. Labeled attack sessions are embedded in normal background traffic so that the analysis can measure the probability of detection simultaneously with the probability of false alarm. The analysis uses Receiver Operator Characteristic (ROC) curves to show the performance of the system in terms of the probability of false alarm and probability of detection for different operating points.


Anomalous noise anomaly detection equality matching intrusion detection N-gram performance evaluation ROC curve 


  1. [1]
    Cohen, W. (1995). Fast effective rule induction. Machine Learning: Proceedings of the Twelfth International Conference, Morgan Kaufmann.Google Scholar
  2. [2]
    D’haeseleer, P., Forrest, S., and Helman, P. (1996). An immunological approach to change detection: Algorithms, analysis and implications. Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
  3. [3]
    Forrest, S., Hofmeyr, S., and Somayaji, A. (1997). Computer immunology. Communications of the ACM, 40 (10), pp. 88–96.CrossRefGoogle Scholar
  4. [4]
    Forrest, S., Hofmeyr, S., Somayaji, A., and Longstaff, T. (1996). A sense of self for unix processes. Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–128.Google Scholar
  5. [5]
    Garvey, T. and Lunt, T. (1991). Model-based intrusion detection. Proceedings of the Fourteenth National Computer Security Conference.Google Scholar
  6. [6]
    Ilgun, K. (1992). Ustat: A real-time intrusion detection system for unix. Master’s thesis, Computer Science Dept, UCSB.Google Scholar
  7. [7]
    Kumar, S. and Spafford, E. (1996). A pattern matching model for misuse intrusion detection. The COAST Project, Purdue University.Google Scholar
  8. [8]
    Lee, W., Stolfo, S., and Chan, P. (1997). Learning patterns from unix process execution traces for intrusion detection. Proceedings of AAAI97 Workshop on AI Methods in Fraud and Risk Management.Google Scholar
  9. [9]
    Lunt, T. (1990). Ides: an intelligent system for detecting intruders. Proceedings of the Symposium: Computer Security, Threat and Countermeasures.Google Scholar
  10. [10]
    Lunt, T. (1993). A survey of intrusion detection techniques. Computers and Security, 12, pp. 405–418.CrossRefGoogle Scholar
  11. [11]
    Lunt, T. and Jagannathan, R. (1988). A prototype real-time intrusion-detection system. Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
  12. [12]
    Lunt, T., Tamaru, A., Gilham, F., Jagannthan, R., Jalali, C., Javitz, H., Valdos, A., Neumann, P., and Garvey, T. (1992). A real-time intrusion-detection expert system (ides). Technical Report, Computer Science Laboratory, SRI Internationnal.Google Scholar
  13. [13]
    Monrose, F. and Rubin, A. (1997). Authentication via keystroke dynamics. Proceedings of the Fourth ACM Conference on Computer and Communications Security.Google Scholar
  14. [14]
    Porras, P. and Kemmerer, R. (1992). Penetration state transition analysis–a rule-based intrusion detection approach. Proceedings of the Eighth Annual Computer Security Applications Conference, pp. 220–229.Google Scholar
  15. [15]
    Voas, J., Payne, J., and Cohen, F. (1992). A model for detecting the existence of software corruption in real time. Computers and Security Journal, 11 (8), pp. 275–283.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2000

Authors and Affiliations

  • Anup K. Ghosh
  • Aaron Schwartzbard

There are no affiliations available

Personalised recommendations