Title :
Dynamic learning of automata from the call stack log for anomaly detection
Author :
Liu, Zhen ; Bridges, Susan M.
Author_Institution :
Dept. of Comput. Sci. & Eng., Mississippi State Univ., USA
Abstract :
Anomaly detection based on monitoring of sequences of system calls has proved to be an effective approach for detection of previously unknown attacks on programs. This paper describes a new model for profiling normal program behavior that can be used to detect intrusions that change application execution flow. The model (hybrid push down automaton, HPDA) incorporates call stack information and can be learned by dynamic analysis of training data captured from the call stack log. The learning algorithm uses call stack information maintained by the program to build a finite state automaton. When compared to other approaches including VtPath which also uses call stack information, the HPDA model produces a more compact and general representation of control flow, handles recursion naturally, can be learned with less training data, and has a lower false positive rate when used for anomaly detection. In addition, dynamic learning can also be used to supplement a model acquired from static analysis.
Keywords :
data handling; finite state machines; learning systems; program diagnostics; security of data; anomaly detection; call stack information; dynamic learning; hybrid push down automaton; learning algorithm; static analysis; Bridges; Change detection algorithms; Computer science; Computerized monitoring; Data analysis; Heuristic algorithms; Information analysis; Learning automata; Power system modeling; Training data;
Conference_Titel :
Information Technology: Coding and Computing, 2005. ITCC 2005. International Conference on
Print_ISBN :
0-7695-2315-3
DOI :
10.1109/ITCC.2005.136
