Title :
Modeling system calls for intrusion detection with dynamic window sizes
Author :
Eskin, Eleazar ; Lee, Wenke ; Stolfo, Salvatore J.
Author_Institution :
Dept. of Comput. Sci., Columbia Univ., New York, NY, USA
Abstract :
We extend prior research on system call anomaly detection modeling methods for intrusion detection by incorporating dynamic window sizes. The window size is the length of the subsequence of a system call trace which is used as the basic unit for modeling program or process behavior. In this work we incorporate dynamic window sizes and show marked improvements in anomaly detection. We present two methods for estimating the optimal window size based on the available training data. The first method is an entropy modeling method which determines the optimal single window size for the data. The second method is a probability modeling method that takes into account context dependent window sizes. A context dependent window size model is motivated by the way that system calls are generated by processes. Sparse Markov transducers (SMTs) are used to compute the context dependent window size model. We show over actual system call traces that the entropy modeling methods lead to the optimal single window size. We also show that context dependent window sizes outperform traditional system call modeling methods
Keywords :
Markov processes; military computing; security of data; DARPA; data security; dynamic window sizes; entropy modeling method; intrusion detection; probability modeling method; sparse Markov transducers; system call anomaly detection modeling; system call trace; Buffer overflow; Computer science; Context modeling; Entropy; Intrusion detection; Robustness; Surface-mount technology; Training data; Transducers; Windows;
Conference_Titel :
DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings
Conference_Location :
Anaheim, CA
Print_ISBN :
0-7695-1212-7
DOI :
10.1109/DISCEX.2001.932213
