A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns

IEEE Transactions on Computers

Volumn 63, Issue 4, 2014, Pages 807-819

  Creech, Gideon ^a   Hu, Jiankun ^a  

^a UNIVERSITY OF NEW SOUTH WALES   (Australia)

Author keywords

ADFA LD; anomaly detection; computer security; host based IDS; Intrusion detection; system calls

Indexed keywords

COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; ERRORS; PERSONAL COMPUTING; SECURITY OF DATA; SEMANTICS;

ADFA-LD; ANOMALY DETECTION; ANOMALY INTRUSION DETECTION; HIGH-LEVEL PROGRAMMING LANGUAGE; HOST-BASED; HOST-BASED INTRUSION DETECTION SYSTEM; INTRINSIC ACTIVITIES; SYSTEM CALLS;

INTRUSION DETECTION;

EID: 84897137099     PISSN: 00189340     EISSN: None     Source Type: Journal    
DOI: 10.1109/TC.2013.13     Document Type: Article

References (67)

1. J.P. Farwell and R. Rohozinski, "Stuxnet and the Future of Cyber War, " Survival, vol. 53, no. 1, pp. 23-40, 2011.
2. T. Chen, "Stuxnet, the Real Start of Cyber Warfare?" IEEE Network, vol. 24, no. 6, pp. 2-3, Nov./Dec. 2010.
3. J. Naughton, "How the Flame Virus Has Changed Everything for Online Security Firms, " http://www.guardian.-co.uk/technology/2012/jun/17/flame- virus-online-security, 2012.
4. S. Richmond and C. Williams, "Millions of Internet Users Hit by Massive Sony PlayStation Data Theft, " http://www.telegraph.co.uk/ technology/news/8475728/Millions-of-internet-users-hit-by-massive-Sony- PlayStation-data-theft.html, 2012.
5. Defence Signals Directorate-Cyber Security Operations Centre, "Top 35 Mitigation Strategies for Targeted Cyber Intrusions, " http://www.dsd.gov.au/publications/Top-35-Mitigations.pdf, Mar. 2012.
6. C. Brown, A. Cowperthwaite, A. Hijazi, and A. SoMayaji, "Analysis of the 1999 DARPA/Lincoln Laboratory IDS Evaluation Data with NetADHICT, " Proc. IEEE Symp. Computational Intelligence for Security and Defense Applications, (CISDA '09), pp. 1-7, July 2009.
7. P. Owezarski, "A Database of Anomalous Traffic for Assessing Profile Based IDS, " Proc. Second Int'l Conf. Traffic Monitoring and Analysis (TMA '10), pp. 59-72, 2010.
8. V. Engen, J. Vincent, and K. Phalp, "Exploring Discrepancies in Findings Obtained with the KDD Cup '99 Data Set, " Intelligent Data Analysis, vol. 15, no. 2, pp. 251-276, 2011.
9. S. Petrovic, G. Alvarez, A. Orfila, and J. Carbo, "Labelling Clusters in an Intrusion Detection System Using a Combination of Clustering Evaluation Techniques, " Proc. 39th Ann. Hawaii Int'l Conf. System Sciences (HICSS '06), vol. 6, p. 129b, Jan. 2006. (Pubitemid 44539456)
10. M. Mahoney and P. Chan, "An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection, " Proc. Sixth Int'l Symp. Recent Advances in Intrusion Detection, pp. 220-237, 2003. (Pubitemid 137633167)
11. J. McHugh, "Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evalua tions as Performed by Lincoln Laboratory, " ACM Trans. Informa tion and System Security, vol. 3, no. 4, pp. 262-294, http://doi.acm.org/10.1145/382912.382923, Nov. 2000.
12. W. Liu and J. OuYang, "Clustering Algorithm for High Dimensional Data Stream over Sliding Windows, " Proc. IEEE 10th Int'l Conf. Trust, Security and Privacy in Computing and Comm. (TrustCom), pp. 1537-1542, Nov. 2011.
13. H. Bahrbegi, A. Navin, A. Ahrabi, M. Mirnia, and A. Mollanejad, "A New System to Evaluate GA-Based Clustering Algorithms in Intrusion Detection Alert Management System, " Proc. Second World Congress on Nature and Biologically Inspired Computing (NaBIC), pp. 115-120, Dec. 2010.
14. J.-H. Lee, J.-H. Lee, S.-G. Sohn, J.-H. Ryu, and T.-M. Chung, "Effective Value of Decision Tree with KDD 99 Intrusion Detection Datasets for Intrusion Detection System, " Proc. 10th Int'l Conf. Advanced Comm. Technology (ICACT), vol. 2, pp. 1170-1175, Feb. 2008. (Pubitemid 351720687)
15. G.-B. Huang, Q.-Y. Zhu, and C.-K. Siew, "Extreme Learning Machine: A New Learning Scheme of Feedforward Neural Networks, " Proc. IEEE Int'l Joint Conf. Neural Networks, vol. 2, pp. 985-990, 2004. (Pubitemid 40011594)
16. F. Bin Hamid Ali and Y.Y. Len, "Development of Host Based Intrusion Detection System for Log Files, " Proc. IEEE Symp. Business, Eng. and Industrial Applications (ISBEIA), pp. 281-285, Sept. 2011.
17. L. Ying, Z. Yan, and O. Yang-jia, "The Design and Implementation of Host-Based Intrusion Detection System, " Proc. Third Int'l Symp. Intelligent Information Technology and Security Informatics (IITSI), pp. 595-598, Apr. 2010.
18. J. Wang and Y. Hu, "PROFS-Performance-Oriented Data Reorganization for Log-Structured File System on Multi-Zone Disks, " Proc. Ninth Int'l Symp. Modeling, Analysis and Simulation of Computer and Telecomm. Systems, pp. 285-292, 2001. (Pubitemid 32878212)
19. D. Bacon, "File System Measurements and Their Application to the Design of Efficient Operation Logging Algorithms, " Proc. 10th Symp. Reliable Distributed Systems, pp. 21-30, Sept. 1991.
20. S. Forrest, S. Hofmeyr, A. SoMayaji, and T. Longstaff, "A Sense of Self for Unix Processes, " Proc. IEEE Symp. Security and Privacy, pp. 120-128, May 1996.
21. C. Feng, J. Peng, H. Qiao, and J.W. Rozenblit, "Alert Fusion for a Computer Host Based Intrusion Detection System, " Proc. 14th Ann. IEEE Int'l Conf. Workshops on the Eng. Computer-Based Systems (ECBS '07), pp. 433-440, Mar. 2007. (Pubitemid 46900699)
22. A. Siraj, R. Vaughn, and S. Bridges, "Intrusion Sensor Data Fusion in an Intelligent Intrusion Detection System Architecture, " Proc. 37th Ann. Hawaii Int'l Conf. System Sciences, p. 10, Jan. 2004.
23. X. Hoang and J. Hu, "An Efficient Hidden Markov Model Training Scheme for Anomaly Intrusion Detection of Server Applications Based on System Calls, " Proc. IEEE Int'l Conf. Networks (ICON 2004), vol. 2, pp. 470-474, Nov. 2004. (Pubitemid 40926525)
24. C. Raman and A. Negi, "A Hybrid Method to Intrusion Detection Systems Using HMM, " Proc. Second Int'l Conf. Distributed Computing and Internet Technology, pp. 389-396, http://dx.doi.org/10.1007/11604655-44, 2005. (Pubitemid 43846707)
25. S. Forrest, S.A. Hofmeyr, and A. SoMayaji, "Computer Immunology, " Comm. ACM, vol. 40, no. 10, pp. 88-96, http://doi.acm.org/10.1145/262793. 262811, Oct. 1997. (Pubitemid 127442917)
26. S.A. Hofmeyr, S. Forrest, and A. SoMayaji, "Intrusion Detection Using Sequences of System Calls, " J. Computer Security, vol. 6, no. 3, p. 151, http://search.ebscohost.com/login.aspx?direct =true&db=tsh&AN= 1531432&site=ehost-live, 1998.
27. X.D. Hoang, J. Hu, and P. Bertok, "A Multi-Layer Model for Anomaly Intrusion Detection Using Program Sequences of System Calls, " Proc. 11th IEEE Int'l. Conf. Networks, pp. 531-536, 2003.
28. S.-B. Cho and H.-J. Park, "Efficient Anomaly Detection by Modeling Privilege Flows Using Hidden Markov Model, " Computers and Security, vol. 22, no. 1, pp. 45-55, 2003.
29. J. Hu, X. Yu, D. Qiu, and H.-H. Chen, "A Simple and Efficient Hidden Markov Model Scheme for Host-Based Anomaly Intrusion Detection, " IEEE Network, vol. 23, no. 1, pp. 42-47, Jan./Feb. 2009.
30. P. Lichodzijewski, A. Nur Zincir-Heywood, and M. Heywood, "Host-Based Intrusion Detection Using Self-Organizing Maps, " Proc. Int'l Joint Conf. Neural Networks (IJCNN '02), vol. 2, pp. 1714-1719, 2002. (Pubitemid 34647888)
31. U. Ahmed and A. Masood, "Host Based Intrusion Detection Using RBF Neural Networks, " Proc. Int'l Conf. Emerging Technologies (ICET '09), pp. 48-51, Oct. 2009.
32. M. Abdel Azim, A.I. Abdel Fatah, and M. Awad, "Performance Analysis of Artificial Neural Network Intrusion Detection Systems, " Proc. Int'l Conf. Electrical and Electronics Eng. (ELECO '09), pp. 385-389, 2009.
33. N. Ye, S. Emran, Q. Chen, and S. Vilbert, "Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection, " IEEE Trans. Computers, vol. 51, no. 7, pp. 810-820, July 2002. (Pubitemid 34835448)
34. R. Grishman, Computational Linguistics: An Introduction. Cambridge Univ. Press, 1986.
35. E. Charniak, Statistical Language Learning. MIT Press, 1993.
36. D. Wagner and P. Soto, "Mimicry Attacks on Host-Based Intrusion Detection Systems, " Proc. Ninth ACM Conf. Computer and Comm. Security (CCS '02), pp. 255-264, http://doi.acm.org/10.1145/586110.586145, 2002.
37. D. Bruschi, L. Cavallaro, and A. Lanzi, "An Efficient Technique for Preventing Mimicry and Impossible Paths Execution Attacks, " Proc. IEEE Int'l Performance, Computing, and Comm. Conf. (IPCCC '07), pp. 418-425, Apr. 2007. (Pubitemid 350139325)
38. D. Gao, M. Reiter, and D. Song, "Beyond Output Voting: Detecting Compromised Replicas Using HMM-Based Behavioral Distance, " IEEE Trans. Dependable and Secure Computing, vol. 6, no. 2, pp. 96-110, Apr.-June 2009.
39. U. Larson, D. Nilsson, E. Jonsson, and S. Lindskog, "Using System Call Information to Reveal Hidden Attack Manifestations, " Proc. First Int'l Workshop Security and Comm. Networks (IWSCN), pp. 1-8, May 2009.
40. S. Bhatkar, A. Chaturvedi, and R. Sekar, "Dataflow Anomaly Detection, " Proc. Symp. Security and Privacy, May 2006.
41. H. Gunes Kayacik, A. Zincir-Heywood, M. Heywood, and S. Burschka, "Generating Mimicry Attacks Using Genetic Programming: A Benchmarking Study, " Proc. IEEE Symp. Computational Intelligence in Cyber Security (CICS '09), pp. 136-143, Apr. 2009.
42. H. Kayacik, A. Zincir-Heywood, and M. Heywood, "Automatically Evading IDS Using GP Authored Attacks, " Proc. IEEE Symp. Computational Intelligence in Security and Defense Applications (CISDA '07), pp. 153-160, Apr. 2007. (Pubitemid 47431350)
43. A. Liu, X. Jiang, J. Jin, F. Mao, and J. Chen, "Enhancing System-Called-Based Intrusion Detection with Protocol Context, " Proc. Fifth Int'l Conf. Emerging Security Information, Systems and Technologies (SECURWARE '11), pp. 103-108, Aug. 2011.
44. G. Creech and F. Jiang, "The Application of Extreme Learning Machines to the Network Intrusion Detection Problem, " AIP Conf. Proc., vol. 1479, no. 1, pp. 1506-1511, http://link.aip.org/link/?APC/1479/1506/1, 2012.
45. C. Cheng, W.P. Tay, and G.-B. Huang, "Extreme Learning Machines for Intrusion Detection, " Proc. Int'l Joint Conf. Neural Networks (IJCNN), pp. 1-8, June 2012.
46. C. Warrender, S. Forrest, and B. Pearlmutter, "Detecting Intrusions Using System Calls: Alternative Data Models, " Proc. IEEE Symp. Security and Privacy, pp. 133-145, 1999.
47. S.A. Hofmeyr and S. Forrest, "Architecture for an Artificial Immune System, " Evolutionary Computation, vol. 8, no. 4, pp. 443-473, 2000.
48. R.K. Gunningham, R.P. Lippmann, D.J. Fried, S.L. Garfinkel, I. Graf, K.R. Kendall, S.E. Webster, D. Wyschogrod, and M.A. Zissman, "KDD98 Intrusion Detection Dataset, " Proc. Int'l Conf. Knowledge Discovery and Data Mining '98), http://www.ll. mit.edu/mission/communications/ist/corpora/ideval/data/ 1998data.html, 1998.
49. A.P. Bradley, "The Use of the Area under the ROC Curve in the Evaluation of Machine Learning Algorithms, " Pattern Recognition, vol. 30, no. 7, pp. 1145-1159, http://www.sciencedirect.-com/science/article/pii/ S0031320396001422, 1997. (Pubitemid 127406521)
50. X.D. Hoang, J. Hu, and P. Bertok, "A Program-Based Anomaly Intrusion Detection Scheme Using Multiple Detection Engines and Fuzzy Inference, " J. Network and Computer Applications, vol. 32, no. 6, pp. 1219-1228, http://www.sciencedirect.com/science/article/pii/S108480450900071X, 2009.
51. A. Viterbi, "Error Bounds for Convolutional Codes and an Asymptotically Optimum Decoding Algorithm, " IEEE Trans. Information Theory, vol. 13, no. 2, pp. 260-269, Apr. 1967.
52. Computer Science Department, "University of New Mexico Intrusion Detection Dataset, " http://www.cs.unm.edu/~immsec/systemcalls.htm, 2012.
53. "Ubuntu Linux, " http://www.ubuntu.com, May 2012.
54. "The Apache Software Foundation, " http://apache.org, May 2012.
55. "PHP: Hypertext Processor, " http://www.php.net, May 2012.
56. "TikiWiki: CMS Groupware, " http://info.tiki.org/Tiki+Wiki+ CMS+Groupware, May 2012.
57. "Tiki Wiki CMS Groupware Remote PHP Code Injection.", 2012.
58. "Offensive Security Certified Professional, " http://www. offensive-security.com/information-security-certifications/oscp-offensive- security-certified-professional/, Nov. 2012.
59. "Metasploit Penetration Testing Software, " http://www. metasploit.com, Apr. 2012.
60. W. Lee, S. Stolfo, and K. Mok, "A Data Mining Framework for Building Intrusion Detection Models, " Proc. IEEE Symp. Security and Privacy, pp. 120-132, 1999.
61. D. Yeung and Y. Ding, "Host-Based Intrusion Detection Using Dynamic and Static Behavioural Models, " Pattern Recognition, vol. 36, no. 1, pp. 229-243, 2003.
62. W.-H. Chen, S.-H. Hsu, and H.-P. Shen, "Application of SVM and ANN for Intrusion Detection, " Computers and Operations Research, vol. 32, no. 10, pp. 2617-2634, http://www.sciencedirect.com/science/article/pii/ S0305054804000711, 2005. (Pubitemid 40219764)
63. A. Sharma, A.K. Pujari, and K.K. Paliwal, "Intrusion Detection Using Text Processing Techniques with a Kernel Based Similarity Measure, " Computers and Security, vol. 26, no. 7, pp. 488-495, http://www.sciencedirect. com/science/article/pii/S0167404807001113, 2007. (Pubitemid 350191974)
64. S. Rawat, V. Gulati, and A. Pujari, "A Fast Host-Based Intrusion Detection System Using Rough Set Theory, " Trans. Rough Sets IV, pp. 144-161, Springer, 2005.
65. M.R. Norouzian and S. Merati, "Classifying Attacks in a Network Intrusion Detection System Based on Artificial Neural Networks, " Proc. 13th Int'l Conf. Advanced Comm. Technology (ICACT), pp. 868-873, 2011.
66. G. Song, J. Zhang, and Z. Sun, "The Research of Dynamic Change Learning Rate Strategy in BP Neural Network and Application in Network Intrusion Detection, " Proc. Third Int'l Conf. Innovative Computing Information and Control (ICICIC '08), pp. 513-513, 2008.
67. Z. Linhui, F. Xin, and D. Yaping, "A Novel Adaptive Intrusion Detection Approach Based on Comparison of Neural Networks and Idiotypic Networks, " Proc. Second Int'l Workshop Nonlinear Dynamics and Synchronization (INDS '09), pp. 203-208, 2009.