Abstract
This paper presents an analysis of a simple equality matching algorithm that detects intrusions against systems by profiling the behavior of programs The premise for this work is that abnormally behaving programs are a primary indicator of computer intrusions. The analysis uses data collected by the Air Force Research Laboratory and provided by the MIT Lincoln Laboratory under the 1998 DARPA Intrusion Detection Evaluation program. Labeled attack sessions are embedded in normal background traffic so that the analysis can measure the probability of detection simultaneously with the probability of false alarm. The analysis uses Receiver Operator Characteristic (ROC) curves to show the performance of the system in terms of the probability of false alarm and probability of detection for different operating points.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35508-5_22
Chapter PDF
Similar content being viewed by others
Keywords
References
Cohen, W. (1995). Fast effective rule induction. Machine Learning: Proceedings of the Twelfth International Conference, Morgan Kaufmann.
D’haeseleer, P., Forrest, S., and Helman, P. (1996). An immunological approach to change detection: Algorithms, analysis and implications. Proceedings of the IEEE Symposium on Security and Privacy.
Forrest, S., Hofmeyr, S., and Somayaji, A. (1997). Computer immunology. Communications of the ACM, 40 (10), pp. 88–96.
Forrest, S., Hofmeyr, S., Somayaji, A., and Longstaff, T. (1996). A sense of self for unix processes. Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–128.
Garvey, T. and Lunt, T. (1991). Model-based intrusion detection. Proceedings of the Fourteenth National Computer Security Conference.
Ilgun, K. (1992). Ustat: A real-time intrusion detection system for unix. Master’s thesis, Computer Science Dept, UCSB.
Kumar, S. and Spafford, E. (1996). A pattern matching model for misuse intrusion detection. The COAST Project, Purdue University.
Lee, W., Stolfo, S., and Chan, P. (1997). Learning patterns from unix process execution traces for intrusion detection. Proceedings of AAAI97 Workshop on AI Methods in Fraud and Risk Management.
Lunt, T. (1990). Ides: an intelligent system for detecting intruders. Proceedings of the Symposium: Computer Security, Threat and Countermeasures.
Lunt, T. (1993). A survey of intrusion detection techniques. Computers and Security, 12, pp. 405–418.
Lunt, T. and Jagannathan, R. (1988). A prototype real-time intrusion-detection system. Proceedings of the IEEE Symposium on Security and Privacy.
Lunt, T., Tamaru, A., Gilham, F., Jagannthan, R., Jalali, C., Javitz, H., Valdos, A., Neumann, P., and Garvey, T. (1992). A real-time intrusion-detection expert system (ides). Technical Report, Computer Science Laboratory, SRI Internationnal.
Monrose, F. and Rubin, A. (1997). Authentication via keystroke dynamics. Proceedings of the Fourth ACM Conference on Computer and Communications Security.
Porras, P. and Kemmerer, R. (1992). Penetration state transition analysis–a rule-based intrusion detection approach. Proceedings of the Eighth Annual Computer Security Applications Conference, pp. 220–229.
Voas, J., Payne, J., and Cohen, F. (1992). A model for detecting the existence of software corruption in real time. Computers and Security Journal, 11 (8), pp. 275–283.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Ghosh, A.K., Schwartzbard, A. (2000). Analyzing the Performance of Program Behavior Profiling for Intrusion Detection. In: Atluri, V., Hale, J. (eds) Research Advances in Database and Information Systems Security. IFIP — The International Federation for Information Processing, vol 43. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35508-5_2
Download citation
DOI: https://doi.org/10.1007/978-0-387-35508-5_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6411-6
Online ISBN: 978-0-387-35508-5
eBook Packages: Springer Book Archive