Title

Considering Both Intra-Pattern And Inter-Pattern Anomalies For Intrusion Detection

Abstract

Various approaches have been proposed to discover patterns from system call trails of UNIX processes to better model application behavior. However, these techniques only consider relationship between system calls (or system audit events). In this paper, we first refine the definition of maximal patterns given in [8] and provide a pattern extraction algorithm to identify such maximal patterns. We then add one additional dimension to the problem domain by also taking into consideration the overlap relationship between patterns. We argue that an execution path of an application is usually not an arbitrary combination of various patterns; but rather, they overlap each other in some specific order. Such overlap relationship characterizes the normal behavior of the application. Finally, a novel pattern matching module is proposed to detect intrusions based on both intra-pattern and inter-pattern anomalies. We test this idea using the data sets obtained from the University of New Mexico. The experimental results indicate that our scheme detect significantly more anomalies than the scheme presented in [8] while maintaining a very low false alarm rate. © 2002 IEEE.

Publication Date

12-1-2002

Publication Title

Proceedings - IEEE International Conference on Data Mining, ICDM

Number of Pages

637-640

Document Type

Article; Proceedings Paper

Personal Identifier

scopus

Socpus ID

44049102761 (Scopus)

Source API URL

https://api.elsevier.com/content/abstract/scopus_id/44049102761

This document is currently not available here.

Share

COinS