Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/ICIC.2009.43

2009-01-01

Abstract:Sequences of system call have become an important data resource of anomaly detection. Considering the large overhead of existing methods to construct normal profile using system call traces, an efficient algorithm is proposed based on STIDE in order to reduce the computing cost. The axis system calls which could represent the characteristics of normal behaviors are extracted by a sequences extracting factor. The improved algorithm measures the interestingness of sequences of system calls by involving the axis system calls, then train and tests the relevant sequences which we are concerned about. Experimental results demonstrate that the computing cost of training and testing in the new way has a reduction of 70% than the standard algorithm.

Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

ZHANG Cheng,PENG Qinke

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.07.050

2007-01-01

Abstract:A novel method is proposed to construct variable-length patterns by using dynamically extracting information from call stack of the process.This method uses the chains of function return addresses to derive a table of variable-length patterns,and reduces the pattern set based on the structure of functions of the process.Then a Markov chain model is constructed based on variable-length patterns to detect abnormal behaviors.The experimental results indicate that compared with the traditional variable-length pattern based method and the first-order Markov chain model method,the proposed method can achieve higher hit rates and lower false alarm rates.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Zhuowei Li,Amitabha Das

DOI: https://doi.org/10.48550/arXiv.cs/0410068

2004-10-26

Cryptography and Security

Abstract:Anomaly-based intrusion detection (AID) techniques are useful for detecting novel intrusions into computing resources. One of the most successful AID detectors proposed to date is stide, which is based on analysis of system call sequences. In this paper, we present a detailed formal framework to analyze, understand and improve the performance of stide and similar AID techniques. Several important properties of stide-like detectors are established through formal proofs, and validated by carefully conducted experiments using test datasets. Finally, the framework is utilized to design two applications to improve the cost and performance of stide-like detectors which are based on sequence analysis. The first application reduces the cost of developing AID detectors by identifying the critical sections in the training dataset, and the second application identifies the intrusion context in the intrusive dataset, that helps to fine-tune the detectors. Such fine-tuning in turn helps to improve detection rate and reduce false alarm rate, thereby increasing the effectiveness and efficiency of the intrusion detectors.

Jingyu Hua,Mingchu Li,Kouichi Sakurai,Yizhi Ren

DOI: https://doi.org/10.1007/978-3-642-04846-3_11

2009-01-01

Abstract:Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic’s. Thereby, we alleviate the conflict between precision and efficiency.

ZHOU Xing,PENG Qin-ke,WANG Jing-bo

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.03.076

2008-01-01

Abstract:How to extract sequence patterns of system calls is an important research topic of system call based intrusion detection approaches.This paper proposed a new method to construct variable-length patterns by using the chains of function return addresses information from call stack of the process.Compared with Wang's method,this method could generate a more integrated set of patterns.Then,constructed a two-layer hidden Markov model(HMM) based on variable-length patterns to detect abnormal behaviors.Compared with the traditional HMM method,this method could achieve lower false negatives rate and false positives rate.

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/aici.2009.92

2009-01-01

Abstract:Intrusion detection systems could rely on short sequences of system calls to distinguish between legitimate and illegitimate activities. We found that the frequencies of system calls in a particular process generally follow the Zipf’s law. It means that there are many sequences which are meaningless to differentiate the ongoing behavior but generate lots of computing waste. Due to improve the performance of existing intrusion detection methods which are implemented in the kernel of operating system, this paper focuses on the negative selection algorithm using maximum entropy model to avoid the degeneration caused by the Valueless repetition of system calls. The improved scheme uses negative selection method to remove the useless computing which is predicted by maximum entropy model. Experimental results demonstrate that the computing cost has a reduction of 50~80% with the same Detection Rate

Guojun Mao,Jing Zhang,Xindong Wu

DOI: https://doi.org/10.1109/wcica.2008.4593135

2008-01-01

Abstract:Computer intrusions are taking place everywhere, and have become a major concern for information security. Most intrusions to a computer system may result from illegitimate or irregular calls to the operating system, so analyzing the system-call sequences becomes an important and fundamental technique to detect potential intrusions. In this paper, we propose two algorithms, based on frequency patterns (FP) and tree patterns (TP) for intrusion detection respectively. FP employs a typical method of sequential mining based on frequency analysis, and uses a short sequence model to quickly find out frequent sequential patterns in the training system-call sequences. TP makes use of the technique of tree pattern mining, and can get a quality profile from the training system-call sequences of a given system. Experimental results show that FP has good performances in training and detecting intrusions from short system-call sequences, and TP can achieve a high detection precision in handling long sequences.

Wenke Lee,Wei Fan,Matthew Miller,Salvatore J. Stolfo,Erez Zadok

DOI: https://doi.org/10.3233/jcs-2002-101-202

2002-01-01

Journal of Computer Security

Abstract:Intrusion detection systems (IDSs) must maximize the realization of security goals while minimizing costs. In this paper, we study the problem of building cost-sensitive intrusion detection models. We examine the major cost factors associated with an IDS, which include development cost, operational cost, damage cost due to successful intrusions, and the cost of manual and automated response to intrusions. These cost factors can be qualified according to a defined attack taxonomy and site-specific security policies and priorities. We define cost models to formulate the total expected cost of an IDS, and present cost-sensitive machine learning techniques that can produce detection models that are optimized for user-defined cost metrics. Empirical experiments show that our cost-sensitive modeling and deployment techniques are effective in reducing the overall cost of intrusion detection.

English Else

WANG Fuhong,PENG Qinke,LI Naijie

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.20.052

2006-01-01

Abstract:A novel simple technique to build a table of variable-length patterns from training system call sequences is presented, aiming to find outa set of basic and relatively independent variable-length patterns. Also, the method finds out all possible relationship between variable-lengthpatterns, and thereby generates an exact DFA representation of the program. Using the data sets from the university of New Mexico, the schema isevaluated by several targets—sizes of variable-length patterns, false positives and false negatives. The experimental results indicate that thealgorithms generate a relative small set of patterns, and get very low false positives and false negatives.

Weitong CHEN,Yuntao QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.16.050

2006-01-01

Abstract:This paper presents a network intrusion detection method based on Rough Set theory,and use a hybrid method with genetic algorithm to find a possibly short reduct which can reduce computing time.The result of the experiment shows that this model has high detection rate and low false reject rate in detecting DoS and probe attacks,and performs well in detecting R2L and U2R attacks either.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

Jiongliang Lin,Yiwen Guo,Hao Chen

2024-04-20

Abstract:Intrusion detection is a long standing and crucial problem in security. A system capable of detecting intrusions automatically is on great demand in enterprise security solutions. Existing solutions rely heavily on hand-crafted rules designed by security operators, which suffer from high false negative rates and poor generalization ability to new, zero-day attacks at scale. AI and machine learning offer promising solutions to address the issues, by inspecting abnormal user behaviors intelligently and automatically from data. However, existing learning-based intrusion detection systems in the literature are mostly designed for small data, and they lack the ability to leverage the power of big data in cloud environments. In this paper, we target at this problem and introduce an intrusion detection system which incorporates large-scale pre-training, so as to train a large language model based on tens of millions of command lines for AI-based intrusion detection. Experiments performed on 30 million training samples and 10 million test samples verify the effectiveness of our solution.

Cryptography and Security,Artificial Intelligence,Computation and Language

王泽芳,陈小平,史烈

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.11.055

2002-01-01

Abstract:Intrustion detection system is very important in computer security.The article introduces the idea of intrusion detection based on system-call monitoring under Linux and the design of the corresponding model.

张邈,徐辉,潘爱民

DOI: https://doi.org/10.3969/j.issn.1000-3428.2003.19.041

2003-01-01

Abstract:The efficiency of content-based intrusion detection systems, the structure of the signature library, the string matching algorithms and the analysis of application level protocols, has been regarded as the most crucial topic for extensive research. This paper introduces SpeedlDS, an efficient experimental content-based IDS. After an overview on several important aspects of design and implementation in which SpeedlDS distinguishes itself from other IDSs are particularly discussed. Experiments are also presented to test the effectiveness and results are proved promising by excelling Snort, a famous and widely used IDS.

Huaping Liu,Yin Jian,Sijia Liu

DOI: https://doi.org/10.1109/etcs.2010.210

2010-01-01

Abstract:Intelligent algorithms applied in intrusion detection system has become a tendency in recent years. An intelligent intrusion detection method is presented, based on rough set theory (RST) and improved binary particle swarm optimization with supported vector machine (IBPSO-SVM), which is combined attribute reduction with parameters optimization. Experiments on KDD CUP'99 dataset show this method can be an effective way for intrusion detection, not only accelerating the training time, but also improving the accuracy of test.

高艳,管晓宏,孙国基,冯力

DOI: https://doi.org/10.3321/j.issn:0254-4164.2004.03.017

2004-01-01

Chinese Journal of Computers

Abstract:This paper presents an intrusion detection method based on the information obtained from real time key sequences. By analyzing the keystroke characteristics and algorithms for keystroke identification with a large numbers of experiments,a weighted Bayesian method using stroke sequences of particular keys as data source is developed. The keystroke models of normal users are established first and then applied to match the keystroke sequences of all users in real time to determine if intrusion taking place. This method can not only perform user authentication beyond login names and passwords, but also constantly monitor the dynamic behaviors of users’ keystroke processes to prevent abusive usage of a particular account of the false users. The paper also discusses the key issues of system implementation and presents the detection results from a real system. Experiments on 1912 login keystroke sequences of 15 users show that the weighted Bayesian method can achieve a false negative ratio of 0.58% and a false positive ratio of 1.64% for user verification, in comparison with the traditional Bayesian method with the about ratios of 2.90% and 6.38%,respectively.The experiments are also performed to test the capability for monitoring the dynamic behaviors of users’ keystroke processes.The results for 1147 keystroke sequences of the same 15 users show that authors’ method is better with the false negative ratios of 2.61% and false positive 5.73% in comparison with 3.77% and 7.36% for traditional Bayesian method.

Guojun Mao,Xindong Wu,Xuxian Jiang

DOI: https://doi.org/10.1080/18756891.2012.670519

2012-01-01

Abstract:Computer intrusions are taking place everywhere, and have become a major concern for information security. Most intrusions to a computer system may result from illegitimate or irregular calls to the operating system, so analyzing the system-call sequences becomes an important and fundamental technique to detect potential intrusions. This paper proposes two models based on data mining technology, respectively called frequency patterns (FP) and tree patterns (TP) for intrusion detection. FP employs a typical method of sequential mining based on frequency analysis, and uses a short sequence model to find out quickly frequent sequential patterns in the training system-call sequences. TP makes use of the technique of tree pattern mining, and can get a quality profile from the training system-call sequences of a given system. Experimental results show that FP has good performances in training and detecting intrusions from short system-call sequences, and TP can achieve a high detection precision in handling long sequences.

DY Yeung,YX Ding

DOI: https://doi.org/10.1016/s0031-3203(02)00026-2

IF: 8

2003-01-01

Pattern Recognition

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on program or user profiles built from normal usage data. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled using two different types of behavioral models for data mining. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only, as opposed to the classification approach which has to use both normal and intrusion data for training. To determine whether or not a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that the dynamic modeling approach is better than the static modeling approach for the system call datasets, while the dynamic modeling approach is worse for the shell command datasets. Moreover, the static modeling approach is similar in performance to instance-based learning reported previously by others for the same shell command database but with much higher computational and storage requirements than our method.