Skip to main content
SpringerLink
Log in

A Probabilistic Method for Detecting Anomalous Program Behavior

  • Conference paper
Information Security Applications (WISA 2004)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3325))

Included in the following conference series:

  • 938 Accesses

Abstract

In this paper, we, as well as Eskin, Lee, Stolfo [7] propose a method of prediction model. In their method, the program was characterized with both the order and the kind of system calls. We focus on a non-sequential feature of system calls given from a program. We apply a Bayesian network to predicting the N-th system call from the sequence of system calls of the length N–1. In addition, we show that a correlation between several kinds of system calls can be expressed by using our method, and can characterize a program behavior.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Beyond-Security’s SecuriTeam.com. Writing Buffer Overflow Exploits - a Tutorial for Beginners, http://www.securiteam.com/securityreviews/5OP0B006UQ.html (accessed 2003-09-05)

  2. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: The 1996 IEEE Symposium on Computer Security and Privacy (1996)

    Google Scholar 

  3. Forrest, S., Hofmeyr, S.A., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6, 151–180 (1998)

    Google Scholar 

  4. Helmer, G., Wong, J., Honavar, V., Miller, L.: Intelligent agents for intrusion detection. In: IEEE Information Technology Conference, September 1998, pp. 121–124 (1998)

    Google Scholar 

  5. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  6. Marceau, C.: Characterizing the behavior of a program using multiple-length n-grams. In: Proceedings of the New Security Paradigms Workshop 2000 (2000)

    Google Scholar 

  7. Eskin, E., Lee, W., Stolfo, S.: Modeling system call for intrusion detection using dynamic window sizes. In: Proceedings of the 2001 DARPA Information Survivability Conference & Exposition, Anaheim, CA (June 2001)

    Google Scholar 

  8. Li, S., Jones, A.: Temporal Signatures for Intrusion Detection. In: 17th Annual Computer Security Applications Conference, December 10-14 (2001)

    Google Scholar 

  9. Kosoresow, A.P., Hofmeyr, S.A.: Intrusion Detection via System Call Traces. IEEE Software 14, 24–42 (1997)

    Article  Google Scholar 

  10. Sekar, R., Bendre, M., Bollineni, P., Dhurjati, D.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceedings of the IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  11. Liao, Y., Rao Vemuri, V.: Using Text Categorization Techniques for Intrusion Detection. In: Proceedings of the 11th USENIX Security Symposium (August 2002)

    Google Scholar 

  12. Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. In: Proceedings of IEEE Symposium on Security & Privacy, pp. 188–201 (2002)

    Google Scholar 

  13. Lee, W., Stolfo, S., Chan, P.: Learning Patterns from Unix Process Execution Traces for Intrusion Detection. In: Proceedings of AAAI 1997 Workshop on AI Methods in Fraud and Risk Management, pp. 50–56 (1997)

    Google Scholar 

  14. Lee, W., Xiang, D.: Information-Theoretic Measures for Anomaly Detection. In: Proceedings of The 2001 IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)

    Google Scholar 

  15. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  16. Oka, M., Abe, H., Oyama, Y., Kato, K.: Intrusion Detection System Based on Static Analysis and Dynamic Detection. In: Proceedings of Forum on Information Technology (FIT 2003), Japan (September 2003)

    Google Scholar 

  17. Wagner, D., Soto, P.: Mimicry Attacks on HostBased Intrusion Detection Systems. In: Proceedings of 9th ACM Conference on Computer and Communications Security (November 2002)

    Google Scholar 

  18. Motomura, Y., Hara, I.: User Model Construction System using Probabilistic Networks, http://staff.aist.go.jp/y.motomura/ipa/ (accessed 2003-09-05)

  19. Conover, W.J.: Practical Nonparametric Statistics. John Wiley & Sons, Inc., New York (1971)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Graduate School of Information Science and Electrical Engineering, Kyushu University, Japan

    Kohei Tatara

  2. Faculty of Information Science and Electrical Engineering, Kyushu University, Japan

    Toshihiro Tabata & Kouichi Sakurai

Authors
  1. Kohei Tatara
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Toshihiro Tabata
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kouichi Sakurai
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dept. of Computer Engineering, Sejong University, 143-747, Seoul, Korea

    Chae Hoon Lim

  2. Computer Science Department, Google Inc. and Columbia University, 1214 Amsterdam Avenue, 10027, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Tatara, K., Tabata, T., Sakurai, K. (2005). A Probabilistic Method for Detecting Anomalous Program Behavior. In: Lim, C.H., Yung, M. (eds) Information Security Applications. WISA 2004. Lecture Notes in Computer Science, vol 3325. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31815-6_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-31815-6_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-24015-0

  • Online ISBN: 978-3-540-31815-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation