Characterizing the behavior of a program using multiple-length N-grams

Marceau, Carla

doi:10.1145/366173.366197

Cited by 84 publications

(38 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…N-gram theory has been largely used in the context of natural language analysis, it also has been used in anomaly detection by Maxion and Tan [6,7], Marceau [8], Wespi [9], and Forrest et al [5]. All these papers present ways of using n-grams for anomaly detection and not for log file reduction.…”

Section: Session Length Reduction Methodsmentioning

confidence: 99%

See 1 more Smart Citation

On the Role of Information Compaction to Intrusion Detection

Godínez

Hutter²,

Monroy

2005

Advanced Distributed Systems

View full text Add to dashboard Cite

Abstract. An intrusion detection system (IDS) usually has to analyse Giga-bytes of audit information. In the case of anomaly IDS, the information is used to build a user profile characterising normal behaviour. Whereas for misuse IDSs, it is used to test against known attacks. Probabilistic methods, e.g. hidden Markov models, have proved to be suitable to profile formation but are prohibitively expensive. To bring these methods into practise, this paper aims to reduce the audit information by folding up subsequences that commonly occur within it. Using n-grams language models, we have been able to successfully identify the n-grams that appear most frequently. The main contribution of this paper is a n-gram extraction and identification process that significantly reduces an input log file keeping key information for intrusion detection. We reduced log files by a factor of 3.6 in the worst case and 4.8 in the best case. We also tested reduced data using hidden Markov models (HMMs) for intrusion detection. The time needed to train the HMMs is greatly reduced by using our reduced log files, but most importantly, the impact on both the detection and false positive ratios are negligible.

show abstract

Section: Session Length Reduction Methodsmentioning

confidence: 99%

“…To identify the most repetitive session subsequences, we use n-gram theory. N-gram theory has been largely used in the context of natural language processing; it has also been used in anomaly detection [5][6][7][8][9].…”

Section: Introductionmentioning

confidence: 99%

On the Role of Information Compaction to Intrusion Detection

Godínez

Hutter²,

Monroy

2005

Advanced Distributed Systems

View full text Add to dashboard Cite

show abstract

“…The -gram matching rule has been used in a wide variety of settings including natural language processing [40], document classification [47], and program monitoring [5], [20], [24], [36] for intrusion detection. In the latter application, -grams can be applied when the behavior of the protected process (for example, an executing computer program) can be represented as a sequence of letters taken from some alphabet.…”

Section: ) Example: -Gramsmentioning

confidence: 99%

“…A node with label in level is connected to a node with label in level if the last symbols of match the first symbols of (akin to the previous example). A similar graphical construction was used in [69] for determining multiple length -grams. The set of protected traces of length can be retrieved by traversing all possible paths, from the first to the last level, in this graph.…”

Section: ) Example: -Gramsmentioning

confidence: 99%

A Formal Framework for Positive and Negative Detection Schemes

Esponda

Forrest

Helman

2004

IEEE Trans. Syst., Man, Cybern. B

145

View full text Add to dashboard Cite

Abstract-In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called -chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.

show abstract

“…A large number of researchers adopted the system-call approach, some seeking to improve on the original methods [49,54,45,62,29], some applying its method to other problems [68,30,50], and some attempting to defeat the system [74,70]. Sana Security developed a product known as Primary Response based on the technology, which it actively marketed to protect servers.…”

Section: Introductionmentioning

confidence: 99%

The Evolution of System-Call Monitoring

Forrest

Hofmeyr

Somayaji

2008

2008 Annual Computer Security Applications Conference (ACSAC)

101

View full text Add to dashboard Cite

Computer security systems protect computers and networks from unauthorized use by external agents and insiders. The similarities between computer security and the problem of protecting a body against damage from externally and internally generated threats are compelling and were recognized as early as 1972 when the term computer virus was coined. The connection to immunology was made explicit in the mid 1990s, leading to a variety of prototypes, commercial products, attacks, and analyses. The paper reviews one thread of this active research area, focusing on system-call monitoring and its application to anomaly intrusion detection and response.The paper discusses the biological principles illustrated by the method, followed by a brief review of how system call monitoring was used in anomaly intrusion detection and the results that were obtained. Proposed attacks against the method are discussed, along with several important branches of research that have arisen since the original papers were published. These include other data modeling methods, extensions to the original system call method, and rate limiting responses. Finally, the significance of this body of work and areas of possible future investigation are outlined in the conclusion.

show abstract

Characterizing the behavior of a program using multiple-length N-grams

Cited by 84 publications

References 8 publications

On the Role of Information Compaction to Intrusion Detection

On the Role of Information Compaction to Intrusion Detection

A Formal Framework for Positive and Negative Detection Schemes

The Evolution of System-Call Monitoring

Contact Info

Product

Resources

About