Abstract
Audit sequences have been used effectively to study process behaviors and build host-based intrusion detection models. Most sequence-based techniques make use of a pre-defined window size for scanning the sequences to model process behavior. In this paper, we propose two methods for extracting variable length patterns from audit sequences that avoid the necessity of such a pre-determined parameter. We also present a technique for abstract representation of the sequences, based on the empirically determined variable length patterns within the audit sequence, and explore the usage of such representation for detecting anomalies in sequences. Our methodology for anomaly detection takes two factors into account: the presence of individual malicious motifs, and the spatial relationships between the motifs that are present in a sequence. Thus, our method subsumes most of the past works, which primarily based on only the first factor. The preliminary experimental observations appear to be quite encouraging.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Altschul, S.F., Gish, W., Miller, W., Myers, E.W., Lipman, D.J.: Basic Local Alignment Search Tool. Jnl. Of Molecular Biology 215, 403–410 (1990)
Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A Sense of Self for UNIX Processes. In: Proceedings of the1996 IEEE Symposium on Research in Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos (1996)
Gibbs, A.J., McIntyre, G.A.: The diagram, a method for comparing sequences. Its use with amino acid and nucleotide sequences. Eur. J. Biochem. 16, 1–11 (1970)
Jiang, N., Hua, K., Sheu, S.: Considering Both Intra-pattern and Inter-pattern Anomalies in Intrusion Detection. In: Proceedings ICDM (2002)
Lane, T., Brodley, C.E.: Detecting the abnormal: Machine Learning in Computer Security (TR-ECE 97-1), Purdue University, West Lafayette, IN (1997a)
Lane, T., Brodley, C.E.: Sequence Matching and Learning in Anomaly Detection for Computer Security. In: Proceedings of AI Approaches to Fraud Detection and Risk Management (1997b)
Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA Off- Line Intrusion Detection Evaluation. Computer Networks (34), 579–595 (2000)
Michael, C.C.: Finding the vocabulary of program behavior data for anomaly detection. In: Proc. DISCEX 2003 (2003)
Osser, W., Noordergraaf, A.: Auditing in the SolarisTM 8 Operating Environment. Sun BlueprintsTM Online (February 2001)
Rigoutsos, I., Floratos, A.: Combinatorial pattern discovery in biological sequences. Bioinformatics 14(1), 55–67 (1998)
Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: ACM Conference on Computer and Communications Security (2002)
Wespi, A., Dacier, M., Debar, H.: An Intrusion-Detection System Based on the Teiresias Pattern-Discovery Algorithm. In: Proc. EICAR (1999)
Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 110. Springer, Heidelberg (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tandon, G., Mitra, D., Chan, P.K. (2004). Motif-Oriented Representation of Sequences for a Host-Based Intrusion Detection System. In: Orchard, B., Yang, C., Ali, M. (eds) Innovations in Applied Artificial Intelligence. IEA/AIE 2004. Lecture Notes in Computer Science(), vol 3029. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24677-0_62
Download citation
DOI: https://doi.org/10.1007/978-3-540-24677-0_62
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22007-7
Online ISBN: 978-3-540-24677-0
eBook Packages: Springer Book Archive