Abstract
In this paper, we, as well as Eskin, Lee, Stolfo [7] propose a method of prediction model. In their method, the program was characterized with both the order and the kind of system calls. We focus on a non-sequential feature of system calls given from a program. We apply a Bayesian network to predicting the N-th system call from the sequence of system calls of the length N–1. In addition, we show that a correlation between several kinds of system calls can be expressed by using our method, and can characterize a program behavior.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Beyond-Security’s SecuriTeam.com. Writing Buffer Overflow Exploits - a Tutorial for Beginners, http://www.securiteam.com/securityreviews/5OP0B006UQ.html (accessed 2003-09-05)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: The 1996 IEEE Symposium on Computer Security and Privacy (1996)
Forrest, S., Hofmeyr, S.A., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6, 151–180 (1998)
Helmer, G., Wong, J., Honavar, V., Miller, L.: Intelligent agents for intrusion detection. In: IEEE Information Technology Conference, September 1998, pp. 121–124 (1998)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy (1999)
Marceau, C.: Characterizing the behavior of a program using multiple-length n-grams. In: Proceedings of the New Security Paradigms Workshop 2000 (2000)
Eskin, E., Lee, W., Stolfo, S.: Modeling system call for intrusion detection using dynamic window sizes. In: Proceedings of the 2001 DARPA Information Survivability Conference & Exposition, Anaheim, CA (June 2001)
Li, S., Jones, A.: Temporal Signatures for Intrusion Detection. In: 17th Annual Computer Security Applications Conference, December 10-14 (2001)
Kosoresow, A.P., Hofmeyr, S.A.: Intrusion Detection via System Call Traces. IEEE Software 14, 24–42 (1997)
Sekar, R., Bendre, M., Bollineni, P., Dhurjati, D.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceedings of the IEEE Symposium on Security and Privacy (2001)
Liao, Y., Rao Vemuri, V.: Using Text Categorization Techniques for Intrusion Detection. In: Proceedings of the 11th USENIX Security Symposium (August 2002)
Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. In: Proceedings of IEEE Symposium on Security & Privacy, pp. 188–201 (2002)
Lee, W., Stolfo, S., Chan, P.: Learning Patterns from Unix Process Execution Traces for Intrusion Detection. In: Proceedings of AAAI 1997 Workshop on AI Methods in Fraud and Risk Management, pp. 50–56 (1997)
Lee, W., Xiang, D.: Information-Theoretic Measures for Anomaly Detection. In: Proceedings of The 2001 IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001)
Oka, M., Abe, H., Oyama, Y., Kato, K.: Intrusion Detection System Based on Static Analysis and Dynamic Detection. In: Proceedings of Forum on Information Technology (FIT 2003), Japan (September 2003)
Wagner, D., Soto, P.: Mimicry Attacks on HostBased Intrusion Detection Systems. In: Proceedings of 9th ACM Conference on Computer and Communications Security (November 2002)
Motomura, Y., Hara, I.: User Model Construction System using Probabilistic Networks, http://staff.aist.go.jp/y.motomura/ipa/ (accessed 2003-09-05)
Conover, W.J.: Practical Nonparametric Statistics. John Wiley & Sons, Inc., New York (1971)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tatara, K., Tabata, T., Sakurai, K. (2005). A Probabilistic Method for Detecting Anomalous Program Behavior. In: Lim, C.H., Yung, M. (eds) Information Security Applications. WISA 2004. Lecture Notes in Computer Science, vol 3325. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31815-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-540-31815-6_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24015-0
Online ISBN: 978-3-540-31815-6
eBook Packages: Computer ScienceComputer Science (R0)