Fixed vs. Variable-Length Patterns for Detecting Suspicious Process Behavior
نویسندگان
چکیده
This paper addresses the problem of creating patterns to model the normal behavior of UNIX processes. The pattern model can be used for intrusion-detection purposes. First, we present methods to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Second, we propose various techniques to derive either fixed-length or variable-length patterns from the input data sets. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.
منابع مشابه
Intrusion Detection Using Variable-Length Audit Trail Patterns
Audit trail patterns generated on behalf of a Unix process can be used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel techniqu...
متن کاملAn Intrusion-Detection System Based on the Teiresias Pattern- Discovery Algorithm
This paper addresses the problem of creating a pattern table that can be used to model the normal behavior of a given process. The model can be used for intrusiondetection purposes. So far, most of the approaches proposed have been based on fixed-length patterns, although variable-length patterns seem to be more naturally suited to model the normal process behavior. We have developed a novel te...
متن کاملBuilding an Intrusion-Detection System to Detect Suspicious Process Behavior
As has been shown in S. Forrest's seminal work [1], there are Unix processes whose normal behavior can be modeled by a set of characteristic patterns, a pattern being a subsequence of system calls that a process can generate. Well-suited processes are network services such as ftpd or sendmail. Intrusion-detection systems that make use of this observation first need to build the table of charact...
متن کاملAn Evaluation of an Adaptive Generalized Likelihood Ratio Charts for Monitoring the Process Mean
When the objective is quick detection both small and large shifts in the process mean with normal distribution, the generalized likelihood ratio (GLR) control charts have better performance as compared to other control charts. Only the fixed parameters are used in Reynolds and Lou’s presented charts. According to the studies, using variable parameters, detect process shifts faster than fixed pa...
متن کاملStudy on the Pull-In Instability of Gold Micro-Switches Using Variable Length Scale Parameter
In this paper, the size dependent behavior of the gold micro-switches has been studied. This behavior becomes noticeable for a structure when the characteristic size such as thickness or diameter is close to its internal length-scale parameter. The size dependent effect is insignificant for the high ratio of the characteristic size to the length-scale parameter, which is the case of the silicon...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- Journal of Computer Security
دوره 8 شماره
صفحات -
تاریخ انتشار 1998