论文信息 - Learning Patterns from Unix Process Execution Traces for Intrusion Detection

Learning Patterns from Unix Process Execution Traces for Intrusion Detection

In this paper we describe our preliminary experiments to extend the work pioneered by Forrest (see Forrest et al. 1996) on learning the (normal abnormal) patterns of Unix processes. These patterns can be used to identify misuses of and intrusions in Unix systems. We formulated machine learning tasks on operating system call sequences of normal and abnormal (intrusion) executions of the Unix sendmail program. We show that our methods can accurately distinguish all abnormal executions of sendmail from the normal ones provided in a set of test traces. These preliminary results indicate that machine learning can play an important role by generalizing stored sequence information to perhaps provide broader intrusion detection services. The experiments also reveal some interesting and challenging problems for future research. much effort has been devoted to the problem of detecting intrusions as quickly as possible. There are two basic approaches to intrusion detection: ¯ Misuse Intrusion Detection: known patterns of (past

[1] William W. Cohen. Fast Effective Rule Induction , 1995, ICML.

[2] Richard A. Kemmerer,et al. State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[3] Paul R. Cohen,et al. Searching for Structure in Multiple Streams of Data , 1996, ICML.

[4] Stephanie Forrest,et al. A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[5] Salvatore J. Stolfo,et al. Credit Card Fraud Detection Using Meta-Learning: Issues and Initial Results 1 , 1997 .

[6] H. S. Teng,et al. Security audit trail analysis using inductively generated predictive rules , 1990, Sixth Conference on Artificial Intelligence for Applications.

[7] Salvatore J. Stolfo,et al. Toward parallel and distributed learning by meta-learning , 1993 .

[8] Karl N. Levitt,et al. Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[9] H. Javitz,et al. IDES : The Enhanced Prototype A Real-Time Intrusion-Detection Expert System , 1988 .

[10] Sandeep Kumar,et al. A Software Architecture to Support Misuse Intrusion Detection , 1995 .