Detecting intrusions using system calls: alternative data models

Christina Warrender; Stephanie Forrest; Barak Pearlmutter

Detecting intrusions using system calls: alternative data models

Christina Warrender, Stephanie Forrest, Barak Pearlmutter

Research output: Contribution to journal › Conference article › peer-review

Abstract

Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: Simple enumeration of observed sequences, comparison of relative frequencies of different sequences, a rule induction technique, and Hidden Markov Models (HMMs). We discuss the factors affecting the performance of each method, and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

Original language	English (US)
Pages (from-to)	133-145
Number of pages	13
Journal	Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy
State	Published - Jan 1 1999
Externally published	Yes
Event	Proceedings of the 1999 IEEE Symposium on Security and Privacy - Oakland, CA, USA Duration: May 9 1999 → May 12 1999

ASJC Scopus subject areas

Software

Cite this

@article{2f037fe7076f4d2088aa654f828e6543,

title = "Detecting intrusions using system calls: alternative data models",

abstract = "Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: Simple enumeration of observed sequences, comparison of relative frequencies of different sequences, a rule induction technique, and Hidden Markov Models (HMMs). We discuss the factors affecting the performance of each method, and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.",

author = "Christina Warrender and Stephanie Forrest and Barak Pearlmutter",

year = "1999",

month = jan,

day = "1",

language = "English (US)",

pages = "133--145",

journal = "Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy",

issn = "1063-7109",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

note = "Proceedings of the 1999 IEEE Symposium on Security and Privacy ; Conference date: 09-05-1999 Through 12-05-1999",

}

TY - JOUR

T1 - Detecting intrusions using system calls

T2 - Proceedings of the 1999 IEEE Symposium on Security and Privacy

AU - Warrender, Christina

AU - Forrest, Stephanie

AU - Pearlmutter, Barak

PY - 1999/1/1

Y1 - 1999/1/1

N2 - Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: Simple enumeration of observed sequences, comparison of relative frequencies of different sequences, a rule induction technique, and Hidden Markov Models (HMMs). We discuss the factors affecting the performance of each method, and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

AB - Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: Simple enumeration of observed sequences, comparison of relative frequencies of different sequences, a rule induction technique, and Hidden Markov Models (HMMs). We discuss the factors affecting the performance of each method, and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

UR - http://www.scopus.com/inward/record.url?scp=0032639421&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0032639421&partnerID=8YFLogxK

M3 - Conference article

AN - SCOPUS:0032639421

SN - 1063-7109

SP - 133

EP - 145

JO - Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy

JF - Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy

Y2 - 9 May 1999 through 12 May 1999

ER -

Detecting intrusions using system calls: alternative data models

Abstract

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this