Detecting intrusions using system calls: alternative data models

Christina Warrender, Stephanie Forrest, Barak Pearlmutter

Research output: Contribution to journalConference article

393 Citations (Scopus)

Abstract

Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: Simple enumeration of observed sequences, comparison of relative frequencies of different sequences, a rule induction technique, and Hidden Markov Models (HMMs). We discuss the factors affecting the performance of each method, and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

Original languageEnglish (US)
Pages (from-to)133-145
Number of pages13
JournalProceedings of the IEEE Computer Society Symposium on Research in Security and Privacy
StatePublished - Jan 1 1999
Externally publishedYes
EventProceedings of the 1999 IEEE Symposium on Security and Privacy - Oakland, CA, USA
Duration: May 9 1999May 12 1999

Fingerprint

Hidden Markov models
Data structures
Intrusion detection

ASJC Scopus subject areas

  • Software

Cite this

Detecting intrusions using system calls : alternative data models. / Warrender, Christina; Forrest, Stephanie; Pearlmutter, Barak.

In: Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 01.01.1999, p. 133-145.

Research output: Contribution to journalConference article

@article{2f037fe7076f4d2088aa654f828e6543,
title = "Detecting intrusions using system calls: alternative data models",
abstract = "Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: Simple enumeration of observed sequences, comparison of relative frequencies of different sequences, a rule induction technique, and Hidden Markov Models (HMMs). We discuss the factors affecting the performance of each method, and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.",
author = "Christina Warrender and Stephanie Forrest and Barak Pearlmutter",
year = "1999",
month = "1",
day = "1",
language = "English (US)",
pages = "133--145",
journal = "Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy",
issn = "1063-7109",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Detecting intrusions using system calls

T2 - alternative data models

AU - Warrender, Christina

AU - Forrest, Stephanie

AU - Pearlmutter, Barak

PY - 1999/1/1

Y1 - 1999/1/1

N2 - Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: Simple enumeration of observed sequences, comparison of relative frequencies of different sequences, a rule induction technique, and Hidden Markov Models (HMMs). We discuss the factors affecting the performance of each method, and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

AB - Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: Simple enumeration of observed sequences, comparison of relative frequencies of different sequences, a rule induction technique, and Hidden Markov Models (HMMs). We discuss the factors affecting the performance of each method, and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

UR - http://www.scopus.com/inward/record.url?scp=0032639421&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0032639421&partnerID=8YFLogxK

M3 - Conference article

AN - SCOPUS:0032639421

SP - 133

EP - 145

JO - Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy

JF - Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy

SN - 1063-7109

ER -