Classification of anomalous traces of privileged and parallel programs by neural networks

The focus of intrusion detection has recently shifted from user-based and connection-based to process-based intrusion detection. Substantial research has been done in the analysis of system call logs using different methods including neural networks. Detection is based on the classification of short sequences as anomalous or normal. The classification of interest, however, is the status of the program trace, not just the short sequences. In this paper we report the results of a comparative study of three different methods for on-line classification of program traces based detection of anomalies in sequences of system calls by neural networks. These results demonstrate that methods that use information about the locality of anomalies are more effective than those that only look at the number of anomalies.

[1]  Andrew P. Bradley,et al.  The use of the area under the ROC curve in the evaluation of machine learning algorithms , 1997, Pattern Recognit..

[2]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[3]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[4]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[5]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[6]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[7]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[8]  Zhen Liu,et al.  A comparison of input representations in neural networks: a case study in intrusion detection , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[9]  Simon Haykin,et al.  Neural Networks: A Comprehensive Foundation , 1998 .

[10]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[11]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[12]  Jorma Laaksonen,et al.  LVQ_PAK: The Learning Vector Quantization Program Package , 1996 .