Detecting intrusions using system calls: Alternative data models

Christina Warrender; Stephanie Forrest; Barak Pearlmutter

doi:10.1109/SECPRI.1999.766910

Detecting intrusions using system calls: Alternative data models

Christina Warrender, Stephanie Forrest, Barak Pearlmutter

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

454 Scopus citations

Abstract

Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. We study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: simple enumeration of observed sequences; comparison of relative frequencies of different sequences; a rule induction technique; and hidden Markov models (HMMs). We discuss the factors affecting the performance of each method and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

Original language	English (US)
Title of host publication	Proceedings of the 1999 IEEE Symposium on Security and Privacy
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	133-145
Number of pages	13
ISBN (Electronic)	0769501761
DOIs	https://doi.org/10.1109/SECPRI.1999.766910
State	Published - 1999
Externally published	Yes
Event	1999 IEEE Symposium on Security and Privacy - Oakland, United States Duration: May 9 1999 → May 12 1999

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	1999-January
ISSN (Print)	1081-6011

Other

Other	1999 IEEE Symposium on Security and Privacy
Country/Territory	United States
City	Oakland
Period	5/9/99 → 5/12/99

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Software
Computer Networks and Communications

Access to Document

10.1109/SECPRI.1999.766910

Cite this

Warrender, C., Forrest, S., & Pearlmutter, B. (1999). Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy (pp. 133-145). Article 766910 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 1999-January). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SECPRI.1999.766910

Detecting intrusions using system calls: Alternative data models. / Warrender, Christina; Forrest, Stephanie; Pearlmutter, Barak.
Proceedings of the 1999 IEEE Symposium on Security and Privacy. Institute of Electrical and Electronics Engineers Inc., 1999. p. 133-145 766910 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 1999-January).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Warrender, C, Forrest, S & Pearlmutter, B 1999, Detecting intrusions using system calls: Alternative data models. in Proceedings of the 1999 IEEE Symposium on Security and Privacy., 766910, Proceedings - IEEE Symposium on Security and Privacy, vol. 1999-January, Institute of Electrical and Electronics Engineers Inc., pp. 133-145, 1999 IEEE Symposium on Security and Privacy, Oakland, United States, 5/9/99. https://doi.org/10.1109/SECPRI.1999.766910

@inproceedings{756585c02a97459e8445a2dad8035fe8,

title = "Detecting intrusions using system calls: Alternative data models",

abstract = "Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. We study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: simple enumeration of observed sequences; comparison of relative frequencies of different sequences; a rule induction technique; and hidden Markov models (HMMs). We discuss the factors affecting the performance of each method and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.",

author = "Christina Warrender and Stephanie Forrest and Barak Pearlmutter",

note = "Publisher Copyright: {\textcopyright} 1999 IEEE.; 1999 IEEE Symposium on Security and Privacy ; Conference date: 09-05-1999 Through 12-05-1999",

year = "1999",

doi = "10.1109/SECPRI.1999.766910",

language = "English (US)",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "133--145",

booktitle = "Proceedings of the 1999 IEEE Symposium on Security and Privacy",

}

TY - GEN

T1 - Detecting intrusions using system calls

T2 - 1999 IEEE Symposium on Security and Privacy

AU - Warrender, Christina

AU - Forrest, Stephanie

AU - Pearlmutter, Barak

PY - 1999

Y1 - 1999

N2 - Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. We study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: simple enumeration of observed sequences; comparison of relative frequencies of different sequences; a rule induction technique; and hidden Markov models (HMMs). We discuss the factors affecting the performance of each method and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

AB - Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. We study one such observable-sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: simple enumeration of observed sequences; comparison of relative frequencies of different sequences; a rule induction technique; and hidden Markov models (HMMs). We discuss the factors affecting the performance of each method and conclude that for this particular problem, weaker methods than HMMs are likely sufficient.

UR - http://www.scopus.com/inward/record.url?scp=84880174811&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84880174811&partnerID=8YFLogxK

U2 - 10.1109/SECPRI.1999.766910

DO - 10.1109/SECPRI.1999.766910

M3 - Conference contribution

AN - SCOPUS:84880174811

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 133

EP - 145

BT - Proceedings of the 1999 IEEE Symposium on Security and Privacy

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 9 May 1999 through 12 May 1999

ER -

Detecting intrusions using system calls: Alternative data models

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this