Considering Both Intra-Pattern And Inter-Pattern Anomalies For Intrusion Detection


Various approaches have been proposed to discover patterns from system call trails of UNIX processes to better model application behavior. However, these techniques only consider relationship between system calls (or system audit events). In this paper, we first refine the definition of maximal patterns given in [8] and provide a pattern extraction algorithm to identify such maximal patterns. We then add one additional dimension to the problem domain by also taking into consideration the overlap relationship between patterns. We argue that an execution path of an application is usually not an arbitrary combination of various patterns; but rather, they overlap each other in some specific order. Such overlap relationship characterizes the normal behavior of the application. Finally, a novel pattern matching module is proposed to detect intrusions based on both intra-pattern and inter-pattern anomalies. We test this idea using the data sets obtained from the University of New Mexico. The experimental results indicate that our scheme detect significantly more anomalies than the scheme presented in [8] while maintaining a very low false alarm rate. © 2002 IEEE.

Publication Date


Publication Title

Proceedings - IEEE International Conference on Data Mining, ICDM

Number of Pages


Document Type

Article; Proceedings Paper

Personal Identifier


Socpus ID

44049102761 (Scopus)

Source API URL


This document is currently not available here.