Title :
Finding the vocabulary of program behavior data for anomaly detection
Abstract :
Application-based anomaly detectors construct a base-line model of normal application behavior, and deviations from that behavior are interpreted as signs of a possible intrusion. But current anomaly detectors monitor application behavior at a high level of detail, and many irrelevant variations in that behavior can cause false alarms. This paper discusses the preprocessing of audit data ultimately used by application-based anomaly detection systems. The goal is to create a more abstract picture of program behavior filtering out many irrelevant details. Our specific approach automatically identifies repeating sub-sequences of behavior events and sequences of events that always occur together. The main benefit of this preprocessing technique can be used with a wide variety of program-based anomaly detectors, but we present empirical results showing how it improves the performance of the well-known stide anomaly detection system.
Keywords :
auditing; security of data; application-based anomaly detection systems; application-based anomaly detectors; audit data preprocessing; baseline model; intrusion; normal application behavior; program behavior data vocabulary; repeating sub-sequences; Data analysis; Detectors; Filtering; Information analysis; Information systems; Intrusion detection; Monitoring; Object detection; Performance analysis; Vocabulary;
Conference_Titel :
DARPA Information Survivability Conference and Exposition, 2003. Proceedings
Print_ISBN :
0-7695-1897-4
DOI :
10.1109/DISCEX.2003.1194881
