2000
DOI: 10.1007/3-540-39945-3_8
|View full text |Cite
|
Sign up to set email alerts
|

Intrusion Detection Using Variable-Length Audit Trail Patterns

Abstract: Abstract. Audit trail patterns generated on behalf of a Unix process can be used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

0
105
0

Year Published

2004
2004
2014
2014

Publication Types

Select...
7
1
1

Relationship

0
9

Authors

Journals

citations
Cited by 129 publications
(105 citation statements)
references
References 8 publications
0
105
0
Order By: Relevance
“…In sequence enumeration, S. Forrest used fixed length system call sequence to describe normal software behavior in 1988. To overcome inflexibility of fixed length, Wepsi proposed a Variablelength model, called V-gram [4], which introduced variablelength patterns to find sequence patterns of system calls. HMM (Hide Markov Model) is the most representative approach in the field of machine learning.…”
Section: Related Workmentioning
confidence: 99%
“…In sequence enumeration, S. Forrest used fixed length system call sequence to describe normal software behavior in 1988. To overcome inflexibility of fixed length, Wepsi proposed a Variablelength model, called V-gram [4], which introduced variablelength patterns to find sequence patterns of system calls. HMM (Hide Markov Model) is the most representative approach in the field of machine learning.…”
Section: Related Workmentioning
confidence: 99%
“…A significant amount of research has sought to detect such attacks through monitoring the behavior of the process and comparing that behavior to a model of "normal" behavior. Typically this model of "normal" is obtained either from the process' own previous behavior [10,27,9,8,13,12,37] or the behavior prescribed by the source code or executable of the program it executes [35,14,15].…”
Section: Introductionmentioning
confidence: 99%
“…for comparison to the profile, typical anomaly detectors use system calls [6,[14][15][16][17] or function calls [5,18] as the granularity for events.…”
mentioning
confidence: 99%