On the Use of Word Networks to Mimicry Attack Detection

  • Fernando Godínez
  • Dieter Hutter
  • Raúl Monroy
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3995)


Intrusion detection aims at raising an alarm any time the security of an IT system gets compromised. Though highly successful, Intrusion Detection Systems are all susceptible of mimicry attacks [1]. A mimicry attack is a variation of an attack that attempts to pass by as normal behaviour. In this paper, we introduce a method which is capable of successfuly detecting a significant and interesting sub-class of mimicry attacks. Our method makes use of a word network [2, 3]. A word network conveniently decomposes a pattern matching problem into a chain of smaller, noise-tolerant pattern matchers, thereby making it more tractable. A word network is realised as a finite state machine, where every state is a hidden Markov model. Our mechanism has shown a 93% of effectivity, with a false positive rate of 3%.


Hide Markov Model False Positive Rate Intrusion Detection System Call Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Wagner, D., Soto, P.: Mimicry Attacks on Host Based Intrusion Detection Systems. In: Proceedings of the Ninth ACM Conference on Computer and Communications Security, Washington, DC, USA, pp. 255–265. ACM, New York (2002)Google Scholar
  2. 2.
    Young, S., Evermann, G., Kershaw, D., Moore, G., Odell, J., Ollason, D., Povey, D., Valtchev, V., Woodland, P.: The HTK Book for HTK Version 3.2, Cambridge University Engineering Department (2002)Google Scholar
  3. 3.
    Pereira, F., Riley, M.: Speech Recognition by Composition of Weighted Finite Automata. In: Roche, E., Schabes, Y. (eds.) Finite-State Language Processing, pp. 431–453. MIT press, Cambridge (1997)Google Scholar
  4. 4.
    Brown, M.: RNA Modeling Using Stochastic Context-Free Grammars. PhD thesis, University of California, Santa Cruz (1999)Google Scholar
  5. 5.
    Manning, C.D., Schütze, H.: Foundations of Statistical Natural Language Processing. MIT Press, Massachusets Institute of Technology, Cambridge, Massachusets 02142 (1999)Google Scholar
  6. 6.
    Rabiner, L.R.: A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceedings of the IEEE 77, 257–286 (1989)CrossRefGoogle Scholar
  7. 7.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  8. 8.
    Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of STIDE, an Anomaly-Based Intrusion Detector. In: Proceedings of IEEE Symposium on Security & Privacy, pp. 188–201 (2002)Google Scholar
  9. 9.
    Qiao, Y., Xin, X., Bin, Y., Ge, S.: Anomaly Intrusion Detection Method Based on HMM. Electronic Letters 38, 663–664 (2002)CrossRefGoogle Scholar
  10. 10.
    Yeung, D., Ding, Y.: Host-Based Intrusion Detection Using Dynamic and Static Behavioral Models. Pattern Recognition 36, 229–243 (2003)CrossRefMATHGoogle Scholar
  11. 11.
    Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master’s thesis, Massachusetts Institute of Technology (1998)Google Scholar
  12. 12.
    Lippman, R.P., Cunningham, R.K., Fried, D.J., Graf, I., Kendall, K.R., Webster, S.E., Zissman, M.A.: Results of the DARPA 1998 Offline Intrusion Detection Evaluation. In: RAID 1999 Conference (1999) (slides presentation)Google Scholar
  13. 13.
    Giffin, J., Jha, S., Miller, B.: Efficient Context-Sensitive Intrusion Detection. In: Proceedings of the 11th Annual Network and Distributed Systems Security Symposium (NDSS), San Diego, California, The Internet Society (2004)Google Scholar
  14. 14.
    Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer Intrusion: Detecting Masquerades. Statistical Science 16, 1–17 (2001) (to appear)MathSciNetMATHGoogle Scholar
  15. 15.
    Maxion, R., Townsend, T.: Masquerade Detection Using Truncated Command Lines. In: Proceedings of the International Conference on Dependable Systems & Networks, Washington, DC, pp. 219–228. IEEE, Los Alamitos (2002)CrossRefGoogle Scholar
  16. 16.
    Scott, C., Joel, B., Boleslaw, S., Eric, B.: Intrusion Detection: A Bioinformatics Approach. In: Proceeding of the 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, pp. 24–33 (2003)Google Scholar
  17. 17.
    Boleslaw, S., Yongqiang, Z.: Recursive Data Mining for Masquerade Detection and Author Identification. In: Proceedings of the 5th IEEE System, Man and Cybernetics Information Assurance Workshop, West Point, NY, pp. 424–431. IEEE, Los Alamitos (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Fernando Godínez
    • 1
  • Dieter Hutter
    • 2
  • Raúl Monroy
    • 1
  1. 1.Department of Computer ScienceITESM–Estado de MéxicoEstado de MéxicoMexico
  2. 2.DFKISaarbrücken UniversitySaarbrückenGermany

Personalised recommendations