Sequential Frequency Vector Based System Call Anomaly Detection

Although either of temporal ordering and frequency distribution information embedded in process traces can profile normal process behaviors, but none of ever published schemes uses both of them to detect system call anomaly. This paper claims combining those two kinds of useful information can improve detection performance and firstly proposes sequential frequency vector (SFV) to exploit both temporal ordering and frequency information for system call anomaly detection. Extensive experiments on DARPA-1998 and UNM dataset have substantiated the claim. It is shown that SFV contains richer information and significantly outperforms other techniques in achieving lower false positive rates at 100% detection rate.

[1]  Connie M. Borror,et al.  Robustness of the Markov-chain model for cyber-attack detection , 2004, IEEE Transactions on Reliability.

[2]  Sung-Bae Cho,et al.  Efficient anomaly detection by modeling privilege flows using hidden Markov model , 2003, Comput. Secur..

[3]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[5]  Yiguo Qiao,et al.  Anomaly intrusion detection method based on HMM , 2002 .

[6]  Connie M. Borror,et al.  EWMA forecast of normal system activity for computer intrusion detection , 2004, IEEE Transactions on Reliability.

[7]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[8]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  V. Rao Vemuri,et al.  Using Text Categorization Techniques for Intrusion Detection , 2002, USENIX Security Symposium.

[10]  Stephanie Forrest,et al.  Architecture for an Artificial Immune System , 2000, Evolutionary Computation.

[11]  Stephanie Forrest,et al.  Coverage and Generalization in an Artificial Immune System , 2002, GECCO.

[12]  Steven A. Hofmeyr,et al.  Intrusion Detection via System Call Traces , 1997, IEEE Softw..

[13]  Qiang Chen,et al.  Probabilistic techniques for intrusion detection based on computer audit data , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[14]  Amitabha Das,et al.  Analyzing and evaluating dynamics in stide performance for intrusion detection , 2006, Knowl. Based Syst..

[15]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[16]  Kuldip K. Paliwal,et al.  Intrusion detection using text processing techniques with a kernel based similarity measure , 2007, Comput. Secur..

[17]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[18]  V. Rao Vemuri,et al.  Intrusion Detection Using Text Processing Techniques with a Binary-Weighted Cosine Metric , 2006 .

[19]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[20]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[21]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[22]  Ying Wu,et al.  Frequency Weighted Hamming Distance for System Call Anomaly Detection , 2009, 2009 WRI World Congress on Computer Science and Information Engineering.