Abstract
The use of program execution traces to detect intrusions has proven to be a successful strategy. Existing systems that employ this approach are anomaly detectors, meaning that they model a program’s normal behavior and signal deviations from that behavior. Unfortunately, many program-based exploits of NT systems use specialized malicious executables. Anomaly detection systems cannot deal with such programs because there is no standard of “normalcy” that they deviate from.
This paper is a preliminary report on an attempt to remedy that situation. We report on a prototype system that learns to identify specific program behaviors. Though the goal is to identify malicious behavior, in this paper we report on experiments seeking to identify the behavior of the web-browser, since we did not have enough exemplars of malicious behavior to use as training data.
Using automatically generated finite automata, we search for features in execution traces that allow us to distinguish browsers from other programs. In our experiments, we find that this technique does, in fact, allow us to distinguish traces Internet Explorer from traces of programs that are not web browsers, after training with Netscape and a different set of non-browsers.
This work was sponsored under DARPA contract DAAH01-99-C-R205
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
L. Devroye, L. Györfi, and G. Girosi. A Probabalistic Theory of Pattern Recognition, volume 31 of Applications of Mathematics. Springer-Verlag, New York, 1996.
Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for unix processes. In Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120–128. IEEE Computer Society, IEEE Computer Society Press, May 1996.
Yoav Freund, Michael Kearns, Dana Ron, Ronitt Rubinfeld, Robert E. Schapire, and Linda Sellie. Efficient learning of typical finite automata from random walks. Information and Computation, 138(1):23–48, 10 October 1997.
R. Price, K. Lang, B. Pearlmutter. Results of the abbadingo one dfa learning competition and a new evidence driven state merging algorithm. In Proceedings of the International Colloquium on Grammatical Inference (ICGA-98), volume 1433 of Lecture Notes in Artificial Intelligence, pages 1–12. Springer-Verlag, 1998.
Sandeep Kumar and Eugene Spafford. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, pages 11–21, October 1994.
N. Littlestone and M. K. Warmuth. The weighted majority algorithm. Information and Computation, 108(2):212–261, 1994.
S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. GrIDS-A Graph Based Intrusion Detection System for Large Networks. In Proceedings of the 19th National Information Systems Security Conference, 1996.
B. A. Trakhtenbrot and Ya. A. Barzdin. Finite Automata: Behavior and Synthesis. North-Holland, 1973.
V. Vapnik. Estimating Dependancies Based on Empirical Data. Springer Series in Statistics. Springer-Verlag, New York, 1982.
T. L. H. Watkin, A. Rau, and M. Biehl. The stastical mechanics of learning a rule. Rev. Mod. Phys., 65:499–556, 1993.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Michael, C., Ghosh, A. (2000). Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report. In: Debar, H., Mé, L., Wu, S.F. (eds) Recent Advances in Intrusion Detection. RAID 2000. Lecture Notes in Computer Science, vol 1907. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39945-3_5
Download citation
DOI: https://doi.org/10.1007/3-540-39945-3_5
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41085-0
Online ISBN: 978-3-540-39945-2
eBook Packages: Springer Book Archive