Detecting intrusions using system calls: Alternative data models

Christina Warrender, Stephanie Forrest, Barak Pearlmutter

Research output: Chapter in Book/Report/Conference proceedingConference contribution

379 Scopus citations

Abstract

Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. We study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: simple enumeration of observed sequences; comparison of relative frequencies of different sequences; a rule induction technique; and hidden Markov models (HMMs). We discuss the factors affecting the performance of each method and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

Original languageEnglish (US)
Title of host publicationProceedings of the 1999 IEEE Symposium on Security and Privacy
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages133-145
Number of pages13
ISBN (Electronic)0769501761
DOIs
StatePublished - 1999
Event1999 IEEE Symposium on Security and Privacy - Oakland, United States
Duration: May 9 1999May 12 1999

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume1999-January
ISSN (Print)1081-6011

Other

Other1999 IEEE Symposium on Security and Privacy
CountryUnited States
CityOakland
Period5/9/995/12/99

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Detecting intrusions using system calls: Alternative data models'. Together they form a unique fingerprint.

Cite this