Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Automatic Generation of Finite State Automata for Detecting Intrusions Using System Call Sequences

  • Conference paper
Computer Network Security (MMM-ACNS 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2776))

Abstract

Analysis of system call sequences generated by privileged programs has been proven to be an effective way of detecting intrusions. There are many approaches of analyzing system call sequences including N-grams, rule induction, finite automata, and Hidden Markov Models. Among these techniques use of finite automata has the advantage of analyzing whole sequences without imposing heavy load to the system. There have been various studies on how to construct finite automata modeling normal behavior of privileged programs. However, previous studies had disadvantages of either constructing finite automata manually or requiring system information other than system calls. In this paper we present fully automatized algorithms to construct finite automata recognizing sequences of normal behaviors and rejecting those of abnormal behaviors without requiring system information other than system calls. We implemented our algorithms and experimented with well-known data sets of system call sequences. The results of the experiments show the efficiency and effectiveness of our system.

This work was supported partly by the Brain Korea 21 Project and partly by the Institute of Information Technology Assessment research project C1-2002-088-0-3.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Cormen, T., Leiserson, C., Rivest, R., Stein, C.: Introduction to Algorithms, 2nd edn., pp. 350–355. MIT Press, Cambridge (2001)

    MATH  Google Scholar 

  2. Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 240– 250 (1992)

    Google Scholar 

  3. Denning, D.: An Intrusion Detection Model. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 119–131 (May 1986)

    Google Scholar 

  4. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)

    Google Scholar 

  5. Gusfield, D.: Algorithms on Strings, Trees, and Sequences, pp. 332–350. Cambridge University Press, Cambridge (1997)

    Book  MATH  Google Scholar 

  6. Hofmeyr, S., Forrest, S.: Intrusion Detection using Sequence of System Calls. Journal of Computer Security 6, 151–180 (1998)

    Google Scholar 

  7. Javitz, H., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 1991)

    Google Scholar 

  8. Kosoresow, A.: Intrusion Detection via System Call Traces. IEEE Software 14(5), 35–42 (1997)

    Article  Google Scholar 

  9. Lankewicz, L., Benard, M.: Real Time Anomaly Detection using a Nonparametric Pattern Recognition Approach. In: Proceedings of the Seventh Annual Computer Security Applications Conference, San Antonio, TX (December 1991)

    Google Scholar 

  10. Lunt, T., Tamaru, A., Gilham, F.: IDES: A Progress Report. In: Proceedings of the Sixth Annual Computer Security Applications Conference, Tucson, AZ (December 1990)

    Google Scholar 

  11. Me, L.: GASSATA: A Genetic Algorithm as an Alternative Tool or Security Audit Trails Analysis. In: First International Workshop on the Recent Advances in Intrusion Detection, Louvain-la-Neuve, Belgium (September 1998)

    Google Scholar 

  12. Sekar, R., Bendre, M.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceeding of the 2001 IEEE Symposium on Security and Privacy, pp. 144–155 (2001)

    Google Scholar 

  13. Setubal, J.C., Meidanis, J.: Introduction to Computational Molecular Biology, pp. 47–80. PWS Publishing Company (1997)

    Google Scholar 

  14. Smaha, S.: Haystack: An Intrusion Detection System. In: Proceedings of the Fourth IEEE Aerospace Computer Security Applications Conference, Orlando, FL (December 1988)

    Google Scholar 

  15. Vilo, J.: Discovering Frequent Patterns from Strings. Department of Computer Science, University of Helsinki, Technical Report C-1998-9 (May 1998)

    Google Scholar 

  16. Wagner, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp.156–159 (2001)

    Google Scholar 

  17. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions using System Calls: Alternative Data Models. In: Proceedings of the 20th IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  18. http://www.cs.unm.edu/~immsec/systemcalls.htm

Download references

Author information

Authors and Affiliations

  1. Ajou University, Suwon, S. Korea, 442-749

    Kyubum Wee

  2. SitecSoft, Seoul, S. Korea, 135-090

    Byungeun Moon

Authors
  1. Kyubum Wee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Byungeun Moon
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. St. Petersburg Intitute for Informaticsand Automation, 39, 14-th Liniya, 199178, St. Petersburg, Russia

    Vladimir Gorodetsky

  2. AFRL/IF, 525 Brooks Rd., 13441-4505, Rome, NY, USA

    Leonard Popyack

  3. US Air Force, Binghamton University (SUNYI), 13902, Binghamton, NY, USA

    Victor Skormin

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wee, K., Moon, B. (2003). Automatic Generation of Finite State Automata for Detecting Intrusions Using System Call Sequences. In: Gorodetsky, V., Popyack, L., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2003. Lecture Notes in Computer Science, vol 2776. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45215-7_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45215-7_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40797-3

  • Online ISBN: 978-3-540-45215-7

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation