Considering Both Intra-Pattern And Inter-Pattern Anomalies For Intrusion Detection
Various approaches have been proposed to discover patterns from system call trails of UNIX processes to better model application behavior. However, these techniques only consider relationship between system calls (or system audit events). In this paper, we first refine the definition of maximal patterns given in  and provide a pattern extraction algorithm to identify such maximal patterns. We then add one additional dimension to the problem domain by also taking into consideration the overlap relationship between patterns. We argue that an execution path of an application is usually not an arbitrary combination of various patterns; but rather, they overlap each other in some specific order. Such overlap relationship characterizes the normal behavior of the application. Finally, a novel pattern matching module is proposed to detect intrusions based on both intra-pattern and inter-pattern anomalies. We test this idea using the data sets obtained from the University of New Mexico. The experimental results indicate that our scheme detect significantly more anomalies than the scheme presented in  while maintaining a very low false alarm rate. © 2002 IEEE.
Proceedings - IEEE International Conference on Data Mining, ICDM
Number of Pages
Article; Proceedings Paper
Source API URL
Jiang, Ning; Hua, Kien A.; and Sheu, Simon, "Considering Both Intra-Pattern And Inter-Pattern Anomalies For Intrusion Detection" (2002). Scopus Export 2000s. 2277.