Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/ICIC.2009.43

2009-01-01

Abstract:Sequences of system call have become an important data resource of anomaly detection. Considering the large overhead of existing methods to construct normal profile using system call traces, an efficient algorithm is proposed based on STIDE in order to reduce the computing cost. The axis system calls which could represent the characteristics of normal behaviors are extracted by a sequences extracting factor. The improved algorithm measures the interestingness of sequences of system calls by involving the axis system calls, then train and tests the relevant sequences which we are concerned about. Experimental results demonstrate that the computing cost of training and testing in the new way has a reduction of 70% than the standard algorithm.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Jin-zhong HUANG,Miao-liang ZHU,Ye GUO

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.02.014

2006-01-01

Abstract:Current anomaly detection technique cannot provide any valuable information except simple alarm. To resolve this problem, a new anomaly detection method was proposed. The system call traces are represented as a kind of hierarchy model composed of system call, operation, transition and activity, while the normal program behavior is described using a context-free grammar with semantic labels attached. Some key system calls and their parameters or return values are used to segment and learn normal traces. Experimental results show that this method can effectively detect attacks exploiting vulnerabilities, and can also analyze anomaly scenes and provide much information on anomalous events including intruders' IP addresses.

XU Ming,DING Hong,CHEN Chun

DOI: https://doi.org/10.3785/j.issn.1008-973x.2005.02.008

2005-01-01

Abstract:In order to exactly and rapidly detect anomaly, a detection model that can exactly depict the profiles of normal process actions was proposed. The consistently repeated system call sequences in normal process traces were regarded as macros, then a Markov chains anomaly detection model based on system call macros was constructed. Conclusions were drawn by comparing the performance metrics of Macro MCM (Markov chains model) with the first-order MCM and second-order MCM based on system call. The comparison shows that in detection performance (hit rates and false alarm rates), Macro MCM is better than the other two models; in needed memory capability, Macro MCM is more than the first-order MCM, but less than the second-order MCM; in computing speed, the training speed of Macro MCM is the slowest among three models, but its detection speed is the highest.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

耿立中,贾惠波

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.05.004

2010-01-01

Abstract:The existing intrusion detection methods based on sequences of system calls have a large overhead to construct normal profile.An efficient algorithm using statistical language models is proposed based on STIDE in order to reduce the computing cost.The system calls which can represent the characteristics of normal behaviors are extracted by an N-gram method.The improved algorithm extracts the most relevant sequences of system calls.Experimental results demonstrate that the computing cost of the improved algorithm has a reduction of 70% than the standard one and no degradation of detecting rate and false positive rate.

Jingyu Hua,Mingchu Li,Kouichi Sakurai,Yizhi Ren

DOI: https://doi.org/10.1007/978-3-642-04846-3_11

2009-01-01

Abstract:Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic’s. Thereby, we alleviate the conflict between precision and efficiency.

Amod Pandit,R Joe Stanley,Bruce McMillin

Abstract:Intrusion detection systems (IDS) attempt to address the vulnerability of computer-based systems for abuse by insiders and to penetration by outsiders. An IDS is required to examine an enormous amount of data generated by computer networks to assist in the abuse detection process. Thus, there is a need to develop automated tools that address these requirements to assist system operators in the detection of violations of existing security policies. In this research, an automated IDS is proposed for insider threats in a distributed system. The proposed IDS functions as an anomaly detector for insider system operations based on the analysis of the system's log files. The approach integrates dynamic programming and adaptive resonance theory (ART1) clustering. The integrated approach aligns sequences of log events with prototypical sequences of events for performing tasks and classifies the aligned sequences for intrusion detection. The system examined for this research is a Boots System for controlling the movement of boots from one place to another under specific security restrictions related to the boot orders. We present the proposed model, the results achieved and the analysis of an implemented prototype.

L Feng,XH Guan,SG Guo,Y Gao,PN Liu

DOI: https://doi.org/10.1016/j.cose.2004.01.016

IF: 5.105

2004-01-01

Computers & Security

Abstract:Identifying the intentions or attempts of the monitored agents through observations is very vital in computer network security. In this paper, a plan recognition method for predicting the anomaly events and the intentions of possible intruders to a computer system is developed based on the observation of system call sequences. The probability of the goal state for a system call sequence is defined as the prediction index to determine if the intention is normal. An efficient algorithm based on the dynamic Bayesian network theory with parameter compensation is derived and then applied to update the index recursively. Extensive empirical testing is performed on the data sets published in the literature and those collected in an actual computer system at our lab. The testing results showed that this method can identify the intrusion behaviors from the observed system call sequences with good accuracy.

Zhuowei Li,Amitabha Das

DOI: https://doi.org/10.48550/arXiv.cs/0410068

2004-10-26

Cryptography and Security

Abstract:Anomaly-based intrusion detection (AID) techniques are useful for detecting novel intrusions into computing resources. One of the most successful AID detectors proposed to date is stide, which is based on analysis of system call sequences. In this paper, we present a detailed formal framework to analyze, understand and improve the performance of stide and similar AID techniques. Several important properties of stide-like detectors are established through formal proofs, and validated by carefully conducted experiments using test datasets. Finally, the framework is utilized to design two applications to improve the cost and performance of stide-like detectors which are based on sequence analysis. The first application reduces the cost of developing AID detectors by identifying the critical sections in the training dataset, and the second application identifies the intrusion context in the intrusive dataset, that helps to fine-tune the detectors. Such fine-tuning in turn helps to improve detection rate and reduce false alarm rate, thereby increasing the effectiveness and efficiency of the intrusion detectors.

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

XIA Nai,GUO Ming-song,Bing Mao,Li Xie

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.02.038

2007-01-01

Abstract:Attacks to program vulnerabilities is a severe problem nowadays.This paper puts forward a new simplified approach based on programs' runtime control flow monitoring.Compared to the methods based on system call sequence analysis,this approach has better granularity;Compared to the methods using whole call graph verification,it has the same effectiveness but more applicable.The results show that this approach can detect many kinds of known attacks to program vulnerabilities.

ZHAO Yu-ming,ZHANG Wei,teng SH

2007-01-01

Abstract:The technique of intrusion detection has become a focus in the field ofnetwork security. This paper introduced the categories of intrusion detection and the methods of data mining applied in abnormal detection. It also described the design and implementation of the abnormal IDS based on system call and data mining algorithms.

Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1007/978-3-540-28648-6_105

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer security in recent years. In this paper, a new intrusion detection method based on Principle Component Analysis (PCA) with low overhead and high efficiency is presented. System call data and command sequences data are used as information sources to validate the proposed method. The frequencies of individual system calls in a trace and individual commands in a data block are computed and then data column vectors which represent the traces and blocks of the data are formed as data input. PCA is applied to reduce the high dimensional data vectors and distance between a vector and its projection onto the subspace reduced is used for anomaly detection. Experimental results show that the proposed method is promising in terms of detection accuracy, computational expense and implementation for real-time intrusion detection.

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/aici.2009.92

2009-01-01

Abstract:Intrusion detection systems could rely on short sequences of system calls to distinguish between legitimate and illegitimate activities. We found that the frequencies of system calls in a particular process generally follow the Zipf’s law. It means that there are many sequences which are meaningless to differentiate the ongoing behavior but generate lots of computing waste. Due to improve the performance of existing intrusion detection methods which are implemented in the kernel of operating system, this paper focuses on the negative selection algorithm using maximum entropy model to avoid the degeneration caused by the Valueless repetition of system calls. The improved scheme uses negative selection method to remove the useless computing which is predicted by maximum entropy model. Experimental results demonstrate that the computing cost has a reduction of 50~80% with the same Detection Rate

ZHOU Yong-lu,WU Hai-yan,JIANG Dong-xing

DOI: https://doi.org/10.3969/j.issn.1671-0428.2012.05.004

2012-01-01

Abstract:As traditional security techniques fail to protect web applications from attacks,more research has focus on intrusion detection for web applications.Access logs are the most important data source for intrusion detection.However,log files usually contain a huge quantity of records.Without effective methods,it is not feasible for administrator to inspect and locate intrusions.Misuse detection and anomaly detection models have been proposed to solve this problem.This paper conducts intrusion detection over a real web application based on statistical anomaly-based models.The result shows these models can effectively detect attacks like SQL injection.

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.