Detecting intrusions through system call sequence and argument analysis

IEEE Transactions on Dependable and Secure Computing

Volumn 7, Issue 4, 2010, Pages 381-395

  Maggi, Federico ^a   Matteucci, Matteo ^a   Zanero, Stefano ^a  

^a POLITECNICO DI MILANO   (Italy)

Author keywords

anomaly detection; behavior detection; Intrusion detection; Invasive software (viruses; Markov models; Network level security and protection; phreaking); Security; Trojan horses); Unauthorized access (hacking; worms

Indexed keywords

CLUSTERING ALGORITHMS; COMPUTER VIRUSES; INTRUSION DETECTION; MARKOV PROCESSES; PERSONAL COMPUTING; SIGNAL TO NOISE RATIO; VIRUSES;

BEHAVIOR DETECTION; INVASIVE SOFTWARE; MARKOV MODEL; NETWORK-LEVEL SECURITY AND PROTECTION; PHREAKING); SECURITY; UNAUTHORIZED ACCESS; WORMS;

ANOMALY DETECTION;

EID: 78149460823     PISSN: 15455971     EISSN: None     Source Type: Journal    
DOI: 10.1109/TDSC.2008.69     Document Type: Article

References (47)

1. J. P. Anderson, "Computer Security Threat Monitoring and Surveillance", technical report, J. P. Anderson, Apr. 1980.
2. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A Sense of Self for Unix Processes", Proc. IEEE Symp. Security and Privacy (S&P), 1996.
3. J. B. D. Cabrera, L. Lewis, and R. Mehara, "Detection and Classification of Intrusion and Faults Using Sequences of System Calls", ACM SIGMOD Record, vol. 30, no. 4, 2001.
4. S. Hofmeyr, S. Forrest, and A. Somayaji, "Intrusion Detection Using Sequences of System Calls", J. Computer Security, vol. 6, pp. 151-180, 1998.
5. A. Somayaji and S. Forrest, "Automated Response Using System-Call Delays", Proc. Ninth USENIX Security Symp., Aug. 2000.
6. W. W. Cohen, "Fast Effective Rule Induction", Proc. 12th Int'l Conf. Machine Learning (ICML'95), A. Prieditis and S. Russell, eds., pp. 115-123, July 1995.
7. W. Lee and S. Stolfo, "Data Mining Approaches for Intrusion Detection", Proc. Seventh USENIX Security Symp., 1998.
8. D. Ourston, S. Matzner, W. Stump, and B. Hopkins, "Applications of Hidden Markov Models to Detecting Multi-Stage Network Attacks", Proc. 36th Ann. Hawaii Int'l Conf. System Sciences (HICSS-36'03), p. 334, 2003.
9. S. Jha, K. Tan, and R. A. Maxion, "Markov Chains, Classifiers, and Intrusion Detection", Proc. 14th IEEE Workshop Computer Security Foundations (CSFW'01), p. 206, 2001.
10. C. C. Michael and A. Ghosh, "Simple, State-Based Approaches to Program-Based Anomaly Detection", ACM Trans. Information and System Security, vol. 5, no. 3, pp. 203-237, 2002.
11. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni, "A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors", Proc. IEEE Symp. Security and Privacy (S&P'01), pp. 144-155, 2001.
12. D. Wagner and D. Dean, "Intrusion Detection via Static Analysis", Proc. IEEE Symp. Security and Privacy (S&P'01), p. 156, 2001.
13. J. T. Giffin, D. Dagon, S. Jha, W. Lee, and B. P. Miller, "Environment-Sensitive Intrusion Detection", Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection (RAID'05), pp. 185-206, 2005.
14. D.-Y. Yeung and Y. Ding, "Host-Based Intrusion Detection Using Dynamic and Static Behavioral Models", Pattern Recognition, vol. 36, pp. 229-243, Jan. 2003.
15. C. Kruegel, D. Mutz, F. Valeur, and G. Vigna, "On the Detection of Anomalous System Call Arguments", Proc. European Symp. Research in Computer Security (ESORICS'03), Oct. 2003.
16. G. Tandon and P. Chan, "Learning Rules from System Call Arguments and Sequences for Anomaly Detection", Proc. ICDM Workshop Data Mining for Computer Security (DMSEC'03), pp. 20-29, 2003.
17. S. Bhatkar, A. Chaturvedi, and R. Sekar, "Dataflow Anomaly Detection", Proc. IEEE Symp. Security and Privacy (S&P'06), May 2006.
18. R. G. Bace, Intrusion Detection. Macmillan, 2000.
19. D. E. Denning, "An Intrusion-Detection Model", IEEE Trans. Software Eng., vol. 13, no. 2, pp. 222-232, Feb. 1987.
20. M. Burgess, H. Haugerud, S. Straumsnes, and T. Reitan, "Measuring System Normality", ACM Trans. Computer Systems, vol. 20, no. 2, pp. 125-160, 2002.
21. N. Ye and Q. Chen, "An Anomaly Detection Technique Based on a Chi-Square Statistic for Detecting Intrusions into Information Systems", Quality and Reliability Eng. Int'l, vol. 17, no. 2, pp. 105-112, 2001.
22. H. Debar, M. Becker, and D. Siboni, "A Neural Network Component for an Intrusion Detection System", Proc. IEEE Symp. Research in Computer Security and Privacy, 1992.
23. M. Theus and M. Schonlau, "Intrusion Detection Based on Structural Zeroes", Statistical Computing and Graphics Newsletter, vol. 9, pp. 12-17, 1998.
24. A. K. Gosh, J. Wanken, and F. Charron, "Detecting Anomalous and Unknown Intrusions against Programs", Proc. 14th Ann. Computer Security Applications Conf. (ACSAC'98), p. 259, 1998.
25. J. C. Galeano, A. Veloza-Suan, and F. A. Gonz?lez, "A Comparative Analysis of Artificial Immune Network Models", Proc. 2005 Conf. Genetic and Evolutionary Computation (GECCO'05), pp. 361-368, 2005.
26. S. Forrest, S. A. Hofmeyr, and A. Somayaji, "Computer Immunology", Comm. ACM, vol. 40, no. 10, pp. 88-96, 1997.
27. C. Ko, G. Fink, and K. Levitt, "Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring", Proc. 10th Ann. Computer Security Applications Conf. (ACSAC'94), pp. 134-144, 1994.
28. W. Lee, S. J. Stolfo, and P. K. Chan, "Learning Patterns from Unix Process Execution Traces for Intrusion Detection", Proc. AAAI97 Workshop AI Approaches to Fraud Detection and Risk Management, pp. 50-56, http://citeseer.ist.psu.edu/lee97learning.html, 1997.
29. W. Lee and W. Fan, "Mining System Audit Data: Opportunities and Challenges", ACM SIGMOD Record, vol. 30, no. 4, pp. 35-44, 2001.
30. C. Warrender, S. Forrest, and B. A. Pearlmutter, "Detecting Intrusions Using System Calls: Alternative Data Models", Proc. IEEE Symp. Security and Privacy (S&P'99), pp. 133-145, 1999.
31. S. Forrest, A. S. Perelson, L. Allen, and R. Cherukuri, "Self-Nonself Discrimination in a Computer", Proc. IEEE Symp. Security and Privacy (S&P'94), p. 202, 1994.
32. S. Zanero, "Behavioral Intrusion Detection", Proc. 19th Int'l Symp. Computer and Information Sciences (ISCIS'04), pp. 657-666, Oct. 2004.
33. D. Wagner and P. Soto, "Mimicry Attacks on Host-Based Intrusion Detection Systems", Proc. Ninth ACM Conf. Computer and Comm. Security (CCS'02), pp. 255-264, 2002.
34. D. Mutz, F. Valeur, G. Vigna, and C. Kruegel, "Anomalous System Call Detection", ACM Trans. Information and System Security, vol. 9, no. 1, pp. 61-93, 2006.
35. A. Stolcke and S. Omohundro, "Hidden Markov Model Induction by Bayesian Model Merging", Advances in Neural Information Processing Systems. Morgan Kaufmann, vol. 5, pp. 11-18, 1993.
36. A. Stolcke and S. M. Omohundro, "Inducing Probabilistic Grammars by Bayesian Model Merging", Proc. Second Int'l Colloquium on Grammatical Inference and Applications (ICGI'94), pp. 106-118, 1994.
37. S. Y. Lee, W. L. Low, and P. Y. Wong, "Learning Fingerprints for a Database Intrusion Detection System", Proc. Seventh European Symp. Research in Computer Security (ESORICS'02), pp. 264-280, 2002.
38. LibAnomaly, http://www.cs.ucsb.edu/~rsg/libAnomaly, 2008.
39. S. Zanero, "Unsupervised Learning Algorithms for Intrusion Detection", PhD dissertation, Politecnico di Milano T. U., May 2006.
40. G. H. Golub and C. F. V. Loan, Matrix Computations, third ed. Johns Hopkins Univ. Press, 1996.
41. L. R. Rabiner, "A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition", Proc. IEEE, vol. 77, pp. 257-286, 1989.
42. W. R. Pestman, Mathematical Statistics: An Introduction. Walter de Gruyter, 1998.
43. R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das, "The 1999 DARPA Off-Line Intrusion Detection Evaluation", Computer Networks, vol. 34, no. 4, pp. 579-595, 2000.
44. J. McHugh, "Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory", ACM Trans. Information and System Security, vol. 3, no. 4, pp. 262-294, 2000.
45. M. V. Mahoney and P. K. Chan, "An analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection", Proc. Sixth Int'l Symp. Recent Advances in Intrusion Detection (RAID'03), pp. 220-237, Sept. 2003.
46. Shmoo Group, Capture the CTF, http://cctf.shmoo.com 2008.
47. R. N. M. Watson and W. Salamon, "The FreeBSD Audit System", Proc. UKUUG Ann. Large Installation Systems Administration Conf. (LISA'06), Mar. 2006.