Behavioral Distance for Intrusion Detection

Abstract: Abstract. We introduce a notion, behavioral distance, for evaluating the extent to which processes-potentially running different programs and executing on different platforms-behave similarly in response to a common input. We explore behavioral distance as a means to detect an attack on one process that causes its behavior to deviate from that of another. We propose a measure of behavioral distance and a realization of this measure using the system calls emitted by processes. Through an empirical evaluation of… Show more

“…This architecture is then utilized for developing diversity-based intrusion detection techniques [6,10,11,16,25]. Most of these techniques use Commercial Off-The-Shelf (COTS) software to build the detection models.…”

“…Behavioral Distance model by Gao et al [10,11] was later proposed to defend against stealthy attacks which are not addressed by both the output voting schemes and traditional intrusion detection techniques which only monitor single application. However, since hidden Markov model used in their scheme (to train the normal-behavior profiles of the system call sequences) is only able to handle finite states, their model cannot be simply extended to detect attacks utilizing erratic arguments.…”

“…Even for schemes which utilize two diverse applications, their model cannot be simply extended to detect such attacks. For example, hidden Markov models used in [10,11,12] (to train the normal-behavior profiles of the system call sequences) are only able to handle finite states, while the space of argument values is usually infinite.…”

On Detection of Erratic Arguments

“…This architecture is then utilized for developing diversity-based intrusion detection techniques [6,10,11,16,25]. Most of these techniques use Commercial Off-The-Shelf (COTS) software to build the detection models.…”

“…Behavioral Distance model by Gao et al [10,11] was later proposed to defend against stealthy attacks which are not addressed by both the output voting schemes and traditional intrusion detection techniques which only monitor single application. However, since hidden Markov model used in their scheme (to train the normal-behavior profiles of the system call sequences) is only able to handle finite states, their model cannot be simply extended to detect attacks utilizing erratic arguments.…”

“…Even for schemes which utilize two diverse applications, their model cannot be simply extended to detect such attacks. For example, hidden Markov models used in [10,11,12] (to train the normal-behavior profiles of the system call sequences) are only able to handle finite states, while the space of argument values is usually infinite.…”

On Detection of Erratic Arguments

“…Having a k which is less than the actual number of clusters cause outliers to be included, thus significantly impacting the cluster features. (Gao et al, 2005) had proposed the use of applying DNA behavior distance of sequence of system call subsets by calculating distance between system call phrases of a given process and its replica. Their approach works by computing the edit distance between any two system call phrases, where a phrase is a sequence of system calls.…”

Advanced Methods for Botnet Intrusion Detection Systems

“…In Rootsense, we suggest monitoring of an entire system (in un-compromised) state (rather than each application individually) to derive benign activity signatures corresponding to specific anomalous event signatures, to reduce false positives. Gao et al [11] propose detecting compromised programs by comparing the behavioral distance of distinct implementations of the program on the same inputs. Bhatkar et al's data-flow modeling work [3] uses a similar approach.…”

Anatomy of a Real-Time Intrusion Prevention System