Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

Jin-zhong HUANG,Miao-liang ZHU,Ye GUO

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.02.014

2006-01-01

Abstract:Current anomaly detection technique cannot provide any valuable information except simple alarm. To resolve this problem, a new anomaly detection method was proposed. The system call traces are represented as a kind of hierarchy model composed of system call, operation, transition and activity, while the normal program behavior is described using a context-free grammar with semantic labels attached. Some key system calls and their parameters or return values are used to segment and learn normal traces. Experimental results show that this method can effectively detect attacks exploiting vulnerabilities, and can also analyze anomaly scenes and provide much information on anomalous events including intruders' IP addresses.

Panhong Wang,Liang Shi,Beizhan Wang,Yuanqin Wu,Yangbin Liu

DOI: https://doi.org/10.1109/iccse.2010.5593839

2010-01-01

Abstract:Intrusion detection based on System calls is a very important domain of anomaly detection, this paper firstly introduces the basic idea of Hidden Markov Model (HMM) based intrusion detection, and then expounds its current development with comparisons about the merits and shortcomings to the current mainstream technologies, by the way, presenting some further discussions upon the future direction of the HMM-based intrusion detection.

Ling DONG,Hongli ZHANG,Lin YE

DOI: https://doi.org/10.3969/j.issn.2095-2163.2014.04.004

2014-01-01

Abstract:System calls are the interface between operating system and user programs.Execution of each program must use some system calls.In recent years,network security incidents occur frequently,intrusion detection method based on the system call sequence analysis has become one of the hot network security technology researches.This paper presents a multi-layer model of program behaviours based on both hidden Markov models and enumerating methods,which differs from the conventional single layer approach.On experimental data provided by the University of New Mexico,experimental results have shown that the model is better in detecting anomalous behaviour of programs in terms of accuracy and response time, which indicates that this method is suitable for online host -based intrusion detection systems.

Shi Pu,Bo Lang

DOI: https://doi.org/10.1007/978-3-540-74171-8_65

2007-01-01

Abstract:System call sequences are useful criteria to judge the behaviors of processes. How to generate an efficient matching algorithm and how to build up an implementable system are two of the most difficult problems. In this paper, we explore the possibility of extending consecutive system call to incorporate temporal signature to the Host-based Intrusion Detection System. In this model, we use the real-time detected system call sequences and their consecutive time interval as the data source, and use temporal signature to filter the real model. During the monitoring procedure, we use data mining methods to analyze the source dynamically and implement incremental learning mechanism. Through studying small size samples and incremental learning, the detecting ability of the system can be still good when the sample's size is small. This paper also introduces the key technologies to build such a system, and verifies this intrusion detection method in real time environment. Finally, this paper gives the experiments results to verify the availability and efficiency of our system.

Cheng Zhang,Qinke Peng

DOI: https://doi.org/10.1007/11596981_47

2005-01-01

Abstract:Anomaly detection has emerged as an important approach to computer security. In this paper, a new anomaly detection method based on Hidden Markov Models (HMMs) is proposed to detect intrusions. Both system calls and return addresses from the call stack of the program are extracted dynamically to train and test HMMs. The states of the models are associated with the system calls and the observation symbols are associated with the sequences of return addresses from the call stack. Because the states of HMMs are observable, the models can be trained with a simple method which requires less computation time than the classical Baum-Welch method. Experiments show that our method reveals better detection performance than traditional HMMs based approaches.

徐明,陈纯,应晶

2004-01-01

Journal of Software

Abstract:The aim of this paper is to create a new anomaly detection model based on rules. A detailed classification of the LINUX system calls according to their function and level of threat is presented. The detection model only aims at critical calls (I.e. The threat level 1 calls). In the learning process, the etection model dynamically processes every critical call, but does not use data mining or statistics from static data. Therefore, the increment learning could be implemented. Based on some simple predefined rules and refining, the number of rules in the rule database could be reduced dramatically, so that the rule match time can be reduced effectively during detection processing. The experimental results clearly demonstrate that the detection model can effectively detect R2L, R2R and L2R attacks. Moreover the detected anomaly is limited in the corresponding requests, but not in the entire trace. The detection model is fit for the privileged processes, especially for those based on request-responses.

ZHANG Jun,SU Pu-rui,FENG Deng-guo

2006-01-01

Journal of Computer Applications

Abstract:The technology of Intrusion Detection is one of the important measures to protect the networks.Host-based intrusion detection is used to protect the key hosts.A flexible loading intrusion detection based on system-call was introduced in this paper.This system improved the common data collection method,and adopted virtual equipment driversto acquire system call.This method brings small influence on system,is easy to load and unload,and provides the standard interface. The data analysis integrates the two detection methods: anomaly and misuse,which provides corresponding detection models and introduces the noise filtering function.

WU Ying,JIANG Jian-hui,ZHANG Rui

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.01.004

2011-01-01

Computer Science

Abstract:System call based intrusion detection is currently a hot subject of research all over the world.The existing system call based intrusion detection techniques and theories with their respective challenges and research trends were discussed comprehensively,especially those(that are) newly developed.We hold that with the advent of the Tide-based commercial intrusion detection system(IDS) SanAPT,how to improve detection performance,to decrease error alarm rate and to solve issues on multiplatform,lightweight,and distribution related to practicality of the IDSs will be hot topics in this field.

ZHAO Yu-ming,ZHANG Wei,teng SH

2007-01-01

Abstract:The technique of intrusion detection has become a focus in the field ofnetwork security. This paper introduced the categories of intrusion detection and the methods of data mining applied in abnormal detection. It also described the design and implementation of the abnormal IDS based on system call and data mining algorithms.

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.

Wang Zhigang,Qian Xingkun,Wang Dongliang

DOI: https://doi.org/10.3969/j.issn.1009-6833.2006.07.009

2006-01-01

Abstract:First,the research progress of intrusion detection is recalled,then the model of an IDS based on Markov and BW is presented.An example of using system call trace data,which is usually used in intrusion detection,is given to illustrate the performance of this model.Finally.comparison of detection ability between the above detection method and others is given.lt is found that the IDS based on HMM System Call squence has improve the accuracy greatly.

ZHANG Cheng,PENG Qinke

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.07.050

2007-01-01

Abstract:A novel method is proposed to construct variable-length patterns by using dynamically extracting information from call stack of the process.This method uses the chains of function return addresses to derive a table of variable-length patterns,and reduces the pattern set based on the structure of functions of the process.Then a Markov chain model is constructed based on variable-length patterns to detect abnormal behaviors.The experimental results indicate that compared with the traditional variable-length pattern based method and the first-order Markov chain model method,the proposed method can achieve higher hit rates and lower false alarm rates.

He Xi,Jiang Jianchun,Ding Liping,Wang Yongji,Liao Xiaofeng

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.08.001

2012-01-01

Abstract:The technique of intrusion detection based on sequence of host system call is a security detection technique mainly focusing on analysing the data set of host system call and further finding the intrusion.Its key technology relies on how to extract the characteristics of system call sequence more accurately and then followed by classification.In this paper,aiming at this,LDA(Latent Dirichlet Allocation) text mining model is introduced to build a new intrusion detection classification algorithm.In this method,topic characteristics of system call sequence are extracted using LDA model which the short sequence of system call is regarded by the method as word.Combined with the frequency characteristics of system calls,kNN(k-Nearest Neighbor) classification algorithm is used for anomaly detection.Experiment is evaluated on 1998 DAPRA data set,the result shows that the method improves the accuracy of intrusion detection,and reduces the false alarm rate.

Wei Pan,Weihua Li,Wanxin Zhao

DOI: https://doi.org/10.1109/mines.2009.159

2009-01-01

Abstract:Anomaly detection of executable program is a security detection solution that examines whether security violation issues exist in programs. The paper presents a novel anomaly detection approach for executable program security (ADEPS), which monitors program executions and detects anomalous program behaviors. Through reverse analysis of executable program, critical behavior monitoring points can be extracted from binary code sequences and memory space. A hybrid neural network model is proposed to detect abnormal attacks and classify detected attacks from actual program behaviors. The experimental results demonstrate that the proposed approach can effectively and accurately perform anomaly detection.

LiuMing,XueZhi,XuXianghua,ZhongChangmin,ChenJinjun

IF: 16.6

2018-01-01

ACM Computing Surveys

Abstract:In a contemporary data center, Linux applications often generate a large quantity of real-time system call traces, which are not suitable for traditional host-based intrusion detection systems depl...

Ye Du,Tong Wang

DOI: https://doi.org/10.1109/kamw.2008.4810611

2008-01-01

Abstract:Intrusion detection has emerged as an important approach to security problems. This paper proposes an effective anomaly detection method based on Unix shell commands to learn patterns. By looking upon each short shell commands sequence as an instance and each observable symbol as a bag that contains some instances, the task of detecting abnormal behaviors can be mapped as multiple-instance learning. KNN algorithm and Euclidean distances are selected as learning approach and a new kernel method is proposed to calculate the deviation between normal and intrusive bags. The algorithm is simple and can be directly applied. Experiments demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.

ZHANG Yi-rong,XIAN Ming,XIAO Shun-ping,WANG Guo-yu

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.09.038

2006-01-01

Abstract:The paper presents an idea of profiling normal processes according to multi-layer BP(Back Propagation) neural network.The experiment result in the 1998 DARPA intrusion detection evaluation data set and the performance comparison with K-Nearest neighbor classifier and time-delay embedding with(frequency) threshold(stide) algorithms show that the proposed algorithm achieves a high detection rate under a quite low false positive rate.