A host-based anomaly detection approach by representing system calls as states of kernel modules

2013 IEEE 24th International Symposium on Software Reliability Engineering, ISSRE 2013

Volumn , Issue , 2013, Pages 431-440

  Murtaza, Syed Shariyar ^a   Khreich, Wael ^a   Hamou Lhadj, Abdelwahab ^a   Couture, Mario ^b  

^a Gina Cody School of Engineering and Computer Science   (Canada)

^b DEFENCE RESEARCH AND DEVELOPMENT CANADA VALCARTIER   (Canada)

Author keywords

Host based Intrusion Detection System; Software Reliability; Software Security

Indexed keywords

ANOMALY DETECTION; ANOMALY INTRUSION DETECTION; FALSE ALARM RATE; HOST-BASED INTRUSION DETECTION SYSTEM; INFORMED DECISION; PROCESSING TIME; SEMANTIC INTERACTIONS; SOFTWARE SECURITY;

ALARM SYSTEMS; COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; ERRORS; PERSONAL COMPUTING; SEMANTICS; SOFTWARE RELIABILITY; STATISTICAL TESTS;

INTRUSION DETECTION;

EID: 84893264720     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ISSRE.2013.6698896     Document Type: Conference Paper

References (38)

1. M. Abdel-Azim, A. I. Abdel-Fateh, and M. Awad, "Performance analysis of of artifical neural network intrusion detection systems", in Intl. Conf. on Electrical and Elctronics Engineering, Bursa, Turkey, 2009, pp. 385-389.
2. U. Ahmed and A. Masood, "Host based intrusion detection using RBF neural networks", in Int. Conf. on Emerging Technologies, ICET 2009, Islamaabad, Pakistan, 2009, pp. 48-51.
3. S. Bhatkar, A. Chaturvedi, and R. Sekar, "Dataflow Anomaly Detection", in IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 2006, pp. 48-62.
4. S. B. Cho and H. J. Park, "Efficient anomaly detection by modeling privilege flows using hidden Markov model", Computers and Security, vol. 22, no. 1, pp. 45-55, Jan. 2003.
5. G. Creech and J. Hu, "A Semantic Approach to Hostbased Intrusion Detection Systems Using Contiguous and Discontiguous System Call Patterns", IEEE Transactions on Computers, vol. PP, no. 99, pp. 1-1, 2013.
6. M. C. Desmarais and F. Lemieux, "Clustering and Visualizing Study State Sequences", in Proc. of 5th Conf. on Educational Data Mining, Memphis, TN, USA, 2013.
7. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A sense of self for Unix processes", in Proc. of the 1996 IEEE Symp. on Security and Privacy, Washington, DC, USA, May 1996, pp. 120-128.
8. A. Gabadinho, G. Ritschard, N. S. Müller, and M. Studer, "Analyzing and Visualizing State Sequences in R with TraMineR", Journal of Statistical Software, vol. 40, no. 4, pp. 1-37, 2011.
9. A. K. Ghosh, C. Michael, and M. Schatz, "A Real-Time Intrusion Detection System Based on Learning Program Behavior", in Proc. of the third Intl. Workshop on Recent Advances in Intrusion Detection, Toulouse, France, Oct. 2000, pp. 93-109.
10. A. Hamou-Lhadj, "Techniques to Simplify the Analysis of Execution Traces for Program Comprehension", School of Information Technology and Engineering (SITE), University of Ottawa, Ph. D. Dissertation 2006.
11. A. Hamou-Lhadj and T. Lethbridge, "Measuring Various Properties of Execution Traces to Help Build Better Trace Analysis Tools", in Proc. of 10th Conf. on Eng. of Complex Comp. Sys., China, 2005, pp. 559-568.
12. X. D. Hoang, Jiankun Hu, and P. Bertok, "A multi-layer model for anomaly intrusion detection using program sequences of system calls", in 11th IEEE Conf. on Network, Sep. 2003, pp. 531-536.
13. X. D. Hoang, J. Hu, and and P. Bertok., "A programbased anomaly intrusion detection scheme using multiple detection engines and fuzzy inference", J. Netw. Comput. Appl, vol. 32, no. 6, pp. 1219-1228, Nov. 2009.
14. S. A. Hofmeyr, S. Forrest, and and A. Somayaji, "Intrusion detection using sequences of system calls", J. Comput. Security, vol. 6, no. 3, pp. 151-180, Aug. 1998.
15. J. Hu, X. Yu, D. Qiu, and and H. H. Chen, "A simple and efficient hidden Markov model scheme for hostbased anomaly intrusion detection", IEEE Network, vol. 23, no. 1, pp. 42-47, Jan. 2009.
16. G. Jiang, H. Chen, C. Ungureanu, and K. I. Yoshihira, "Multi-resolution Abnormal Trace Detection Using Varied-length N-grams and Automata", in Proc. 2nd Intl. Conf. on Automatic Comp., Seattle, USA, June 2005, pp. 111-122.
17. U. Larson, D. Nilsson, E. Jonsson, and S. Lindskog, "Using System Call Information to Reveal Hidden Attack Manifestations", in Proc. 1st Intl Workshop on in Security and Communication Networks, Norway, 2009, pp. 1-8.
18. P. Lichodzijewski, A. Nur Zincir-Heywood, and M. Heywood, "Host-based intrusion detection using selforganizing maps", in Proceedings of the 2002 Intl. Conf. on Neural Networks, Honolulu, USA, 2002, pp. 1714-1719.
19. A. Liu, X. Jiang, J. Jin, F. Mao, and J. Chen, "Enhancing System Called-Based Intrusion Detection with Protocol Context", in Fifth Intl. Conf. on Emerging Security Information Systems and Technologies, 2011, pp. 103-108.
20. F. Maggi, M. Matteucci, and S. Zanero, "Detecting Intrusions through System Call Sequence and Argument Analysis", IEEE Transactions on Dependable and Secure Computing, vol. 7, no. 4, pp. 381-395, Dec. 2010.
21. Metasploit. (2012) Metasploit Pentration Testing Software. [Online]. http://www.metasploit.com
22. Mozilla-Testers, 2012. [Online]. https://developer.mozilla.org/en/ Mozilla-automated-tes ting
23. NVD. (2012) National Vulnerability Database. [Online]. http://nvd.nist.gov
24. M. Mahoney and P. Chan, "Learning rules for anomaly detection of hostile network traffic", in Proc. 3rd IEEE Intl. Conf. on Data Mining, Melbourne, Florida, USA, Nov. 2003, pp. 601-604.
25. A. Patcha and J. M. Park, "An overview of anomaly detection techniques: Existing solutions and latest technological trends", Computer Networks, vol. 51, no. 12, pp. 3448-3470, Aug. 2007.
26. L. R Rabiner, "A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition", Proc. of IEEE, vol. 77, no. 2, pp. 257-286, Feb. 1989.
27. W. Lee and S. J. Stolfo, "A framework for constructing features and models for intrusion detection systems.", ACM Trans. Inf. Syst. Secur., vol. 3, no. 4, pp. 227-261, Nov. 2000.
28. G. Tandon, "Machine Learning for Host-based Anomaly Detection", Florida Institue of Technology, Melbourne, Florida, USA, Ph. D. thesis 2008.
29. K. M. C. Tan and R. A. Maxion, "Determining the Operational Limits of an Anomaly-Based Intrusion Detector", IEEE Journal on Seletected Areas in Communications, vol. 21, no. 1, pp. 96-110, 2003.
30. R Development Core Team, "R: A Language and Environment for Statistical Computing", R Foundation for Statistical Computing, 2011.
31. UNM. (1998) University of New Mexico Dataset, http://www.cs.unm.edu/ ~immsec/systemcalls.htm.
32. A. Valdes and K. Skinner, "Adaptive, Model-Based Monitoring for Cyber Attack Detection", in Proc. of 3rd Intl. Workshop on Recent Advances in Intrusion Detection, LNCS, France, Oct. 2000, pp. 80-92.
33. W. Wang, X. H. Guan, and X. L. Zhang, "Modeling program behaviors by hidden Markov models for intrusion detection", in Proc. of Intl. Conf. on Machine Learning and Cybernetics, Shanghai, China, Aug. 2004, pp. 2830-2835.
34. C. Warrender, S. Forrest, and B. Pearlmutter, "Detecting intrusions using system calls: alternative data models", in Proc. of 1999 IEEE Symposium on Security and Privacy, Oakland, USA, May 1999, pp. 133-145.
35. C. Wohlin et al., Experimentation in Software Engineering: An Introduction. Norwell, USA: Kluwer Academic Pub., 2000.
36. N. Ye, S. M. Emran, Q. Chen, and S. Vilbert, "Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection", IEEE Trans. on Computers, vol. 51, no. 7, pp. 810-820, July 2002.
37. D. Y. Yeung and Y. Ding., "Host-based intrusion detection using dynamic and static behavioral models", Pattern Recognition, vol. 36, no. 1, pp. 229-243, Jan. 2003.
38. D. Yuxin, Y. Xuebing, Z. Di, D. Li, and A. Zhanchao, "Feature representation and selection in malicious code detection methods based on static system calls", Computers & Security, vol. 30, no. 6-7, pp. 514-524, 2011.