A multi-layer model for anomaly intrusion detection using program sequences of system calls
نویسندگان
چکیده
In this paper we present a new method to process sequences of system calls for anomaly intrusion detection. The key idea is to build a multi-layer model of program behaviours based on both hidden Markov models and enumerating methods for anomaly intrusion detection, which differs from the conventional single layer approach. Our experiments on Unix sendmail program have shown that the model is better in detecting anomalous behaviour of programs in terms of accuracy and response time. As we use the temporal characteristics in the model, it is suitable for online host-based intrusion detection systems in LAN environment. Index Terms Intrusion detection, anomaly detection, hidden Markov model, machine learning, system call sequence.
منابع مشابه
Anomaly Detection in Wireless Mobile Ad hoc Networks with Multi-Layer Observation Sequences
Mobile ad hoc Networks (Manet) are very vulnerable to malicious attacks due to the nature of mobile computing environment such as absence of fixed infrastructures, wireless communication channels, limited power and bandwidth, dynamically changing and distributed network topology, etc. The general existing Intrusion Detection Systems (IDS) have provided little evidence that they are applicable t...
متن کاملA Framework for Studying New Approaches to Anomaly Detection
In this work, we describe a new framework for an anomaly-based intrusion detection system using system call traces. System calls provide an interface between an application and the operating system’s kernel. Since a program frequently requests services via system calls, a trace of these system calls provides a rich profile of program behavior. But we need to use efficient and effective methods ...
متن کاملFinite Automata Models for Anomaly Detection
A fundamental problem in intrusion detection is the fusion of dependent information sequences. In this paper, we consider the fusion of two such sequences, namely the sequences of system calls and the values of the instruction pointer. We introduce FAAD, a finite automaton representation defined for the product alphabet of the two sequences where dependencies are implicitly taken into account b...
متن کاملProposed Multi-Layers Intrusion Detection System (MLIDS) Model
In the Digital world security is the primary concerned. Today, most discussions on computer security is centered on the tools or techniques used in protecting and defending networks. In recently every organization or company is using intrusion detection systems (IDSs) for detecting malicious attacks. Generally existing commercial IDSs are based on anomaly detection architecture. In anomaly dete...
متن کاملIntrusion Detection using Text Processing Techniques with a Binary-Weighted Cosine Metric
This paper introduces a new similarity measure, termed Binary Weighted Cosine (BWC) metric, for anomaly-based intrusion detection schemes that rely on using sequences of system calls. The new similarity measure considers both the number of shared system calls between two processes as well as frequencies of those calls. The k nearest neighbor (kNN) classifier is used to categorize a process as e...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2003