Using Program Behavior Pro � les for Intrusion Detection

Intrusion detection and response has traditionally been performed at the network and host levels That is intrusion monitors will typically analyze network packet logs or host machine audit logs for signs of intrusion activity More often than not commercial o the shelf COTS intrusion detection tools use ngerprints of known intrusions to detect their presence in these audit trails Both these approaches employed by most state of the practice tools have their drawbacks In this paper we describe a method for program based intrusion detection that is aimed at detecting novel attacks against systems

[1]  Mark Burgess Computer Immunology , 1998, LISA.

[2]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[3]  Paul Helman,et al.  An immunological approach to change detection: algorithms, analysis and implications , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[4]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[5]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[7]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[8]  Wenke Lee,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[9]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[10]  T. Lunt A Real-Time Intrusion Detection Expert System (IDES)-Final Report , 1992 .