Temporal signatures for intrusion detection

We introduce a new method for detecting intrusions based on the temporal behavior of applications. It builds on an existing method of application intrusion detection developed at the University of New Mexico that uses a system call sequence as a signature. Intrusions are detected by comparing the signature of the intrusion and that of the normal application. But when the system call sequences generated by the intrusion and the normal application are sufficiently similar, this method cannot work. By extending system call signature to incorporate temporal information related to the application, we form a richer signature. Analysis shows that the temporal behavior for many applications is relatively stable. We exclude high variance data when creating a normal database to characterize an application with a temporal signature. It can then be the basis for future comparisons in an intrusion detection system. This paper discusses experiments that test the effectiveness of the temporal signature on different applications, alternative intrusions, and in various environments. The results show that by choosing appropriate analysis methods and experimentally adjusting the parameters, intrusions are readily detected. Finally, we give some comparisons between the temporal signature method and the system call method.