Detecting intrusions using system calls: alternative data models

Author

Warrender, Christina ; Forrest, Stephanie ; Pearlmutter, Barak

Author_Institution

Dept. of Comput. Sci., New Mexico Univ., Albuquerque, NM, USA

fYear

1999

fDate

1999

Firstpage

133

Lastpage

145

Abstract

Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. We study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: simple enumeration of observed sequences; comparison of relative frequencies of different sequences; a rule induction technique; and hidden Markov models (HMMs). We discuss the factors affecting the performance of each method and conclude that for this particular problem, weaker methods than HMMs are likely sufficient

Keywords

authorisation; hidden Markov models; knowledge based systems; operating system kernels; safety systems; HMMs; alternative data models; data modeling methods; hidden Markov models; illegitimate activities; intrusion detection systems; legitimate activities; normal behavior; observable data; observed sequences; operating system kernel; relative frequencies; rule induction technique; simple enumeration; system calls; system-call data sets; Computer science; Data models; Distributed computing; Hidden Markov models; Intrusion detection; Monitoring; Packaging; Proposals; Reactive power; Security;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on

Conference_Location

Oakland, CA

ISSN

1081-6011

Print_ISBN

0-7695-0176-1

Type

conf

DOI

10.1109/SECPRI.1999.766910

Filename

766910