Characterizing the Behavior of a Program Using Multiple-Length N-Grams

Marceau, Carla

doi:10.21236/ada436198

Cited by 12 publications

(14 citation statements)

References 3 publications

(3 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Their results showed that their method could find about 75% of anomalous system calls. Marceau [15] and Cabrera et al [55] undertook similar experiments using different methods. The former uses multiple length n-grams on system logs and shows a high rate (13/20) of finding anomalies with fewer datasets than Forrest and Longstaff, and by analysing the normal dictionary, which stores the permitted sequences of system calls, shows that it was possible to detect anomalies with a detection rate of 75-100%.…”

Section: System Behavioursmentioning

confidence: 99%

“…Instead it monitors network traffic and compares it against an established baseline, where the baseline identifies what is "normal" for that network, what protocols are generally used, what ports and devices generally connect to each other. It alerts the administrator or user when anomalous or significantly different traffic is detected [13][14][15][16][17]. However, it may miss both known and novel attacks if they are not manifested along the observed dimensions.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

User profiling in intrusion detection: A review

Peng

Choo

Ashman

2016

Journal of Network and Computer Applications

106

View full text Add to dashboard Cite

Section: System Behavioursmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

User profiling in intrusion detection: A review

Peng

Choo

Ashman

2016

Journal of Network and Computer Applications

106

View full text Add to dashboard Cite

“…In the ensuing work these ideas were extended through application of Hidden Markov Models [21], feed-forward and recursive neural networks [23], rule induction algorithms [65] and Support Vector Machines [9]. As part of this evolution, trie and suffix tree data structures were introduced for storage and analysis of system call n-grams [22,24,66]. Beside system call analysis, n-gram models have recently been applied as part of host-based intrusion detection for identification of malicious code in program binaries and documents [e.g.…”

Section: Related Work and Conclusionmentioning

confidence: 99%

“…N-grams have been extensively used in host-based intrusion detection for modeling traces of system calls [e.g. [19][20][21][22][23][24], but until recently have not been applied in the context of network intrusion detection for n > 1. Tokenized words have been used for anomaly detection using rule-based learning [e.g.…”

mentioning

confidence: 99%

Language models for detection of unknown attacks in network traffic

Rieck¹,

Laskov²

2006

J Comput Virol

View full text Add to dashboard Cite

In this paper we propose a method for network intrusion detection based on language models. Our method proceeds by extracting language features such as n-grams and words from connection payloads and applying unsupervised anomaly detection without prior learning phase or presence of labeled data. The essential part of this procedure is linear-time computation of similarity measures between language models of connection payloads. Particular patterns in these models decisive for discrimination of attacks and normal data can be traced back to attack semantics and utilized for automatic generation of attack signatures. Results of experiments conducted on two datasets of network traffic demonstrate the importance of higher-order n-grams and variable-length language models for detection of unknown network attacks. An implementation of our system achieved detection accuracy of over 80% with no false positives on instances of recent remote-to-local attacks in HTTP, FTP and SMTP traffic

show abstract

“…The WIDS APs will detect intrusions based on both known attack signatures (such as network probes from NetStumbler or other non-passive "war-driving" programs ) and behavior based signatures (such as an internal MAC address suddenly appearing in an external location on a machine with different OS characteristics than it had previously). WIDS will detect anomalous behavior by tying the signature data into a behavior-based intrusion detection system [6,9].…”

Section: Wids Apmentioning

confidence: 99%

Physically locating wireless intruders

Adelstein¹,

Prasanth²,

Joyce³

et al. 2004

International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004.

View full text Add to dashboard Cite

Wireless networks, specifically IEEE 802.11, are inexpensive and easy to deploy, but their signals can be detected by eavesdroppers at great distances. Even with existing and new security measures, wireless networks have a higher risk than wired nets. WIDS, Wireless Intrusion Detection System, provides an additional layer of security by combining intrusion detection with physical location determination, using directional antennas. We briefly describe WIDS and present our initial results of remote station location using inexpensive hardware.

show abstract

Characterizing the Behavior of a Program Using Multiple-Length N-Grams

Cited by 12 publications

References 3 publications

User profiling in intrusion detection: A review

User profiling in intrusion detection: A review

Language models for detection of unknown attacks in network traffic

Physically locating wireless intruders

Contact Info

Product

Resources

About