Title :
Using extended information to refine program behavior profile
Author :
Feng Xie ; Yong Peng ; Dongqing Chen
Author_Institution :
China Inf. Technol., Security Evaluation Center, Beijing, China
Abstract :
System call provides the interface between an application and operating system, which is wildly used to detect network intrusions. By the extraction of extended information from system call stack, a new audit event is constructed and is used to refine the program profile in this paper. We name it as l-call. Meanwhile a Chebyshev´s inequality based approach is also proposed to measure the anomaly degree which reflects the degree of deviation from the normal behavior due to the intrusions. Compared with system call, l-call has much more granularity to better describe the program behavior. Although the number of l-call is greater than that of system call which will inevitably lead to greater storage overhead, many experiments show that these costs are at an acceptable level, and l-call-based model has acquired more detection performance than system-call-based model.
Keywords :
computer network security; data flow analysis; operating systems (computers); Chebyshev inequality based approach; detect network intrusions; extended information; l-call-based model; operating system; program behavior profile refinement; program profile; system call stack; system-call-based model; Chebyshev´s inequality; anomaly degree; extended information; l-call;
Conference_Titel :
Communication Technology (ICCT), 2012 IEEE 14th International Conference on
Conference_Location :
Chengdu
Print_ISBN :
978-1-4673-2100-6
DOI :
10.1109/ICCT.2012.6511343
