Simple, State-Based Approaches to Program-Based Anomaly Detection

ACM Transactions on Information and System Security

Volumn 5, Issue 3, 2002, Pages 203-237

  Michael, C C ^a   Ghosh, Anup ^b  

^a Cigital   (United States)

^b DEFENSE ADVANCED RESEARCH PROJECTS AGENCY   (United States)

Author keywords

Anomaly Detection; Experimentation; Finite Automata; Information System Security; Intrusion Detection; Machine Learning; Performance; Security

Indexed keywords

EID: 84882800335     PISSN: 10949224     EISSN: 15577406     Source Type: Journal    
DOI: 10.1145/545186.545187     Document Type: Article

References (30)

1. anderson, J. 1980. Computer security threat monitoring and surveillance. Tech. Rep. James P. anderson Co., Fort Washington, Pa.
2. Basseville, M. and Nikiforov, I. V. 1993. Detection of Abrupt Changes-Theory and Application. Prentice-Hall, Inc., Englewood Cliffs, N.J.
3. Cannady, J. 1998. Artificial neural networks for misuse detection. In Proceedings of the 1998 National Information Systems Security Conference (NISSC'98). (Arlington, Va.), 443-456.
4. D'Haeseleer, P., Forrest, S., and Helman, P. 1996. An immunological approach to change detection: Algorithms, analysis and implications. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif.
5. Endler, D. 1998. Intrusion detection: Applying machine learning to solaris audit data. In Proceedings of the 1998Annual Computer Security Applications Conference (ACSAC'98). (Scottsdale, Az.). IEEE Computer Society Press, Los Alamitos, Calif., 268-279.
6. Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., 120-128.
7. Freund, Y., Kearns, M., Ron, D., Rubinfeld, R., Schapire, R. E., and Sellie, L. 1997. Efficient learning of typical finite automata from random walks. Inf. Comput. 138, 1 (10 Oct.), 23-48.
8. Ghosh, A., Michael, C. C., and Schatz, M. 2000. A real-time intrusion detection system based on learning program behavior. In Recent Advances in Intrusion Detection; Third International Workshop. H. Debar, L. Me, and F. Wu, Eds. Lecture Notes in Computer Science, vol. 1907. Springer, Berlin, 93-109.
9. Ghosh, A., Schwartzbard, A., and Schatz, M. 1999. Using program behavior profiles for intrusion detection. In Proceedings of the SANS Intrusion Detection Workshop.
10. Ghosh, A., Wanken, J., and Charron, F. 1998. Detecting anomalous and unknown intrusions against programs. In Proceedings ofthe 1998Annual Computer Security Applications Conference (ACSAC'98).
11. Grimmet, G. R. and Stirzaker, R. D. 1992. Probability and Random Processes. Oxford University Press.
12. Kearns, M. and Valiant, L. 1989. Cryptographic limitations on learning boolean formulae and finite automata. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing. ACM, New York, 433-444.
13. Kim, G. H. and Spafford, E. H. 1994. The design and implementation of tripwire: A file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and Communications Security. J. Stern, Ed. (Fairfax, Va.). ACM, New York, 18-29.
14. Kosoresow, A. P. and Hofmeyr, S. A. 1997. Intrusion detection via system call traces. IEEE Softw. 14, 5 (Sept./Oct.), 24-42.
15. LAI, T. L. 1998. Information bounds and quick detection of parameter changes in stochastic systems. IEEE Trans. Inf. Theory 44, 7, 2917-2929.
16. Lane, T. and Brodley, C. 1997. An application of machine learning to anomaly detection. In Proceedings ofthe 20th National Information Systems Security Conference. 366-377.
17. Lane, T. and Brodley, C. E. 1999. Temporal sequence learning and data reduction for anomaly detection. ACM Trans. Inf. Syst. Sec. 2, 3, 295-331.
18. Lang, K., Pearlmutter, B., and PRICE, R. 1998. Results of the abbadingo one dfa learning competition and a new evidence driven state merging algorithm. In Proceedings of the International Colloquium on Grammatical Inference (ICGA-98). Lecture Notes in Artificial Intelligence, vol. 1433. Springer-Verlag, New York, 1-12.
19. Lee, W., STOLFO, S., and CHAN, P. 1997. Learning patterns from Unix process execution traces for intrusion detection. In Proceedings of AAAI97 Workshop on AI Methods in Fraud and Risk Management.
20. Lunt, T. 1990. Ides: an intelligent system for detecting intruders. In Proceedings ofthe Symposium: Computer Security, Threat and Countermeasures (Rome, Italy).
21. Lunt, T. 1993. A survey of intrusion detection techniques. Comput. Sec. 12,405-418.
22. Lunt, T. and Jagannathan, R. 1988. A prototype real-time intrusion-detection system. In Proceedings ofthe 1988 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif.
23. Lunt, T., Tamaru, A., Gilham, F., Jagannthan, R., Jalali, C., Javitz, H., Valdos, A., Neumann, P., and Garvey, T. 1992. A real-time intrusion-detection expert system (ides). Tech. Rep. Computer Science Laboratory, SRI Internationnal.
24. Michael, C. C. and GHOSH, A. 2000. Two state-based approaches to program-based anomaly detection. In Proceedings ofACSAC 2000. 21-30.
25. Porras, P. and Neumann, P. 1997. Emerald: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference. 353-365.
26. Rabiner, L. and Juang, B.-H. 1993. Fundamentals of Speech Recognition. Prentice-Hall (Signal Processing Series), Englewood Cliffs, N.J.
27. Sekar, R., Bendre, M., Dhurjati, D., and Bollineni, P. 2000. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings ofthe 2000 IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, Calif., 144-155.
28. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., and Zerkle, D. 1996. GrIDS-A graph based intrusion detection system for large networks. In Proceedings ofthe 19th National Information Systems Security Conference.
29. Vapnik, V. N. 1995. The Nature of Statistical Learning Theory. Springer, New York.
30. Warrender, C., Forrest, S., and Pearlmutter, B. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings ofthe 1999 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, Calif., 133-145.