Abstract
This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. These models can be used for intrusion detection purposes. In a previous work, we presented a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Using this method, we propose various techniques to generate either fixed-length or variable-length patterns. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.
Chapter PDF
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-Nonself Discrimination. In: Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA (1994) 202–212.
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA (1996) 120–128.
D’haeseleer, P., Forrest, S., Helman, P.: An Immunological Approach to Change Detection: Algorithms, Analysis, and Implications. In: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA (1996) 110–119.
Forrest, S., Hofmeyr, S.A., Somayaji, A.: Computer Immunology. Commun. ACM 40 (1997) 88–96.
Kosoresow, A.P., Hofmeyr, S.A.: Intrusion Detection via System Call Traces. IEEE Software 14(5) (1997) 35–42.
Esmaili, M., Safavi-Naini, R., Pieprzyk, J.: Computer Intrusion Detection: A Comparative Survey. Technical Report 95-07, Center for Computer Security Research, University of Wollongong, Wollongong, NSW 2522, Australia (May 1995).
Debar, H., Dacier, M., Wespi, A.: Reference Audit Information Generation for Intrusion Detection Systems. In: Posch, R., Papp, G. (eds).: Information Systems Security, Proceedings of the 14th International Information Security Conference (IFIP SEC’98), Vienna, Austria, and Budapest, Hungary, Aug. 31–Sept. 4, 1998 (in press).
Teng, H.S., Chen, K., Lu, S. C-Y: Adaptive Real-Time Anomaly Detection Using Inductively Generated Sequential Patterns. In: Proceedings of the IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA (1990) 278–284.
Debar, H., Dacier, M., Wespi, A., Lampart, S.: A Workbench for Intrusion Detection Systems. IBM Research Report RZ 2998, IBM Research Division, Zurich Research Laboratory, 8803 Rüschlikon, Switzerland (1998).
Stephen. G.A.: String Searching Algorithms. World Scientific, Singapore (1994).
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Debar, H., Dacier, M., Nassehi, M., Wespi, A. (1998). Fixed vs. variable-length patterns for detecting suspicious process behavior. In: Quisquater, JJ., Deswarte, Y., Meadows, C., Gollmann, D. (eds) Computer Security — ESORICS 98. ESORICS 1998. Lecture Notes in Computer Science, vol 1485. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0055852
Download citation
DOI: https://doi.org/10.1007/BFb0055852
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-65004-1
Online ISBN: 978-3-540-49784-4
eBook Packages: Springer Book Archive