A.P.Kosoresow and S.A.Hofmeyr, "Intrusion Detection via System Call Traces", IEEE Software, Septemeber/October 1997, pp. 35-42.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....activities. These schemes include, among others, rule induction [14, 15, 16] artificial) neural networks [17, 18, 19] fuzzy set theory [20] classical machine learning algorithms [21, 22] artificial immune systems [23, 24] signal processing methods [25] and temporal sequence learning [26, 27]. A challenge that all developers of anomaly detectionbased intrusion detection classifiers must address is feature selection data reduction. Clearly, the inclusion of too much data will adversely impact the performance of the system, while the inclusion of too little data will reduce the ....

Kosoresow, A. P. and Hofmeyr, S. A., "Intrusion Detection via System Call Traces," IEEE Software, vol. 14, pp. 24-42, 1997.

....In addition, we believe that regular languages makes our specifications easier to understand and more concise. Although regular grammars are less expressive than context free grammars, the difference is much less pronounced when these grammars are augmented with state variables. Forrest et al. [Forrest97, Kosoresow97] developed intrusion detection techniques inspired by immune systems in animals. They characterize self for a UNIX process in terms of sequences of system calls that are made by the process under normal conditions. Intrusion is detected by monitoring for foreign system call se System Call ....

A. Kosoresow and S. Hofmeyr, Intrusion detection via system call traces, IEEE Software '97.

....S S 4 1 3 5 S S 1 3 4 6 7 8 10 11 Figure 2. Automaton learnt by our algorithm for Example 1 Several researchers [25, 14] have shown that the problem of learning compact FSA is hard. For instance, 14] show that learning approximately optimal FSA is as hard as integer factorization. [16] describe a methodology for learning system calls using finite state automata. However, no algorithm is provided for constructing FSAs from system call traces. Instead, they rely on human insight and intuition to construct FSA states and edges from sequences. 30] studied several learning ....

....of learning normal user or system behaviors. We focus our discussion below on anomaly detection techniques most closely related to our approach. Approaches Based on Learning Program Behaviors. The use of system call sequences to model program behaviors was first suggested by Forrest et al. [5] [16] proposes to increase the accuracy of the N gram learning algorithm by using an FSA representation. However, no algorithm is provided for FSA construction; instead, a manual procedure is employed. 18] describes an algorithm for constructing finite state automata from strings, but their algorithm ....

A. Kosoresow and S. Hofmeyr, Intrusion detection via system call traces, IEEE Software '97.

....activities. These schemes include, among others, rule induction [14, 15, 16] artificial) neural networks [17, 18, 19] fuzzy set theory [20] classical machine learning algorithms [21, 22] artificial immune systems [23, 24] signal processing methods [25] and temporal sequence learning [26, 27]. A challenge that all developers of anomaly detectionbased intrusion detection classifiers must address is feature selection data reduction. Clearly, the inclusion of too much data will adversely impact the performance of the system, while the inclusion of too little data will reduce the ....

Kosoresow, A. P. and Hofmeyr, S. A., "Intrusion Detection via System Call Traces," IEEE Software, vol. 14, pp. 24-42, 1997.

....does not consider such a characteristic, 210 any result of an intrusion detection method based on a fixed length approach is distorted and certain intrusions and or misuses cannot be detected. So, it seems that one has to consider patterns of variable length. Such an approach is examined in [62] and the results obtained are shown therein to be very promising. However, the patterns presented in that work are constructed manually due to the lack of an automated method. It is obvious that such a manual selection or design of the patterns is inadequate for an automatic intrusion detection of ....

A.P. Kosoresow and S.A. Hofmeyr. Intrusion detection via system call traces. IEEE Software, pages 35--42, 1997.

....a critical issue. Survivability is the ability of the system to continue to perform its critical functions in a timely manner even in the face of large scale failures or coordinated, malicious attacks. Several techniques for intrusion detection have been developed recently, such as [2] 3] and [4]. One direction of recent research is specification based attack detection methods. We have designed a new approach that combines attack prevention, detection, and isolation techniques. The technique is based on a specification of security related behaviors given in a high level language, called ....

A. Kosoresow and S. Hofmeyr, "Intrusion Detection via System Call Traces", IEEE Software, vol. 14, no. 5, Sept-Oct, 1997.

....Kerberos [29] and the Secure Socket Layer [34] provide the means to augment applications which communicate over the network with cryptographic functionality. Still other efforts focus on adding instrumentation to COTS operating systems and server applications to support intrusion detection [17, 23, 20, 21, 11, 12, 22], maintain synthetic jail environments to contain intruders [9] or both [32] Each of the efforts listed above provides a useful solution in its own problem domain, but is generally limited in scope to a single kind of security augmentation, be it access controls, authentication protocols, or ....

A. Kosoresow and S. Hofmeyr. Intrusion Detection via System Call Traces. IEEE Software, 14(5), September /October 1997.

....the three algorithms, we first present related work in programbased intrusion detection. 2 Analyzing Program Behavior for Anomaly Detection Analyzing program behavior profiles for intrusion detection has recently emerged as a viable alternative to user based approaches to intrusion detection (see [7, 21, 12, 5, 3, 6, 14] for other program based approaches) Program behavior profiles are built by capturing system calls made by the program under analysis under normal operational conditions. If the captured behavior represents a compact and adequate signature of normal behavior, then the profile can be used to ....

....of all strings captured during the online session, then an intrusion is registered. The application of this technique was shown viable for Unix programs sendmail, lpr, and ftpd. It was later recognized by a research group out of Columbia University [14] and by another research project at UNM [12] that program anomalies were temporally located in clusters. Thus, averaging the number of anomalies over the entire execution trace as performed in the UNM s earlier work could potentially wash out the intrusive behavior among normal variation in program behavior. Hence, the notion of ....

[Article contains additional citation context not shown here]

A.P. Kosoresow and S.A. Hofmeyr. Intrusion detection via system call traces. Software, 14(5):35--42, September-October 1997. IEEE Computer Society.

No context found.

A.P.Kosoresow and S.A.Hofmeyr, "Intrusion Detection via System Call Traces", IEEE Software, Septemeber/October 1997, pp. 35-42.

No context found.

A. Kosoresow and S. Hofmeyr, Intrusion detection via system call traces, IEEE Software '97.

No context found.

Kosoresow, A. and Hofmeyr, S. (1997). Intrusion Detection via System Call Traces. IEEE Software, 14(5):3542.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC