Fixed vs. variable-length patterns for detecting suspicious process behavior

Debar, Hervé; Daciér, Marc; Nassehi, Mehdi; Wespi, Andreas

doi:10.1007/bfb0055852

Cited by 22 publications

(19 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Some mechanisms of error detection are directed towards both non-malicious and malicious faults (e.g., memory access protection techniques). Intrusion detection is usually performed via likelihood checks [Forrest et al 1996, Debar et al 1998]. Approaches and schemes have been proposed for tolerating:…”

Section: Implementation Of Fault Tolerancementioning

confidence: 99%

Basic concepts and taxonomy of dependable and secure computing

Avižienis

Laprie

Randell

et al. 2004

IEEE Trans.Dependable and Secure Comput.

4,028

2,435

View full text Add to dashboard Cite

show abstract

Section: Implementation Of Fault Tolerancementioning

confidence: 99%

Basic concepts and taxonomy of dependable and secure computing

Avižienis

Laprie

Randell

et al. 2004

IEEE Trans.Dependable and Secure Comput.

4,028

2,435

View full text Add to dashboard Cite

show abstract

“…Specifically, the authors use Hotelling's T 2 distributions to detect outliers in series of records coming from generic information systems (e.g., log files generated by a web server). Knowledge-based techniques include all classification techniques based on deductive reasoning as well as specification-based intrusion detection approaches [63][64][65]. For example, Wespi et al describe Unix process behaviors by modeling either the system calls or the generated audit events.…”

Section: )mentioning

confidence: 99%

“…For example, host-based intrusion detection commonly analyzes system calls [63,64,75], software data structures [76,77], and application execution flows [78]. On the other hand, network-based intrusion detection generally focuses on network communications and, often, on single network messages.…”

Section: Feature Selectionmentioning

confidence: 99%

“…Some of these works focus on profiling user activities [165]. Others focus instead on profiling programs or sequences of system calls [63,64,75,166,167].…”

Section: State Of the Artmentioning

confidence: 99%

“…This analysis would miss to identify subsequences of events larger than n that remain constant over time. Nevertheless, works such as Wespi et al show that countermeasures to this problem are possible by using more sophisticated modeling techniques based on variable-length patterns [63,64]. On the other hand, modeling communications with DFA would allow to identify sequences of any length but it would not suit the analysis of rare events.…”

Section: Modelingmentioning

confidence: 99%

See 2 more Smart Citations