Improved Edit Distance Method for System Call Anomaly Detection

Qian, Quan; Wu, Jinlin; Zhu, Wei; Xin, Mingjun

doi:10.1109/cit.2012.223

Cited by 8 publications

(2 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These editing distances cover partially the above-mentioned difficulties and have been used with great success to evaluate similarities and dissimilarities in sequences of nucleotides, some of them allowing for the isolation of abnormal subsequences [7]. In addition, they have been successfully adapted to cope with sequences of system calls [8]. However, the quadratic time complexity of most of these similarity measures and the need for the computation of the whole similarity matrix limit their use to small to medium size problems.…”

Section: Introductionmentioning

confidence: 99%

Sequence Covering for Efficient Host-Based Intrusion Detection

Marteau

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

This paper introduces a new similarity measure, the covering similarity, that we formally define for evaluating the similarity between a symbolic sequence and a set of symbolic sequences. A pair-wise similarity can also be directly derived from the covering similarity to compare two symbolic sequences. An efficient implementation to compute the covering similarity is proposed that uses a suffix-tree data-structure, but other implementations, based on suffix-array for instance, are possible and possibly necessary for handling very large-scale problems. We have used this similarity to isolate attack sequences from normal sequences in the scope of Host-based Intrusion Detection. We have assessed the covering similarity on two well-known benchmarks in the field. In view of the results reported on these two datasets for the state of the art methods, and according to the comparative study we have carried out based on three challenging similarity measures commonly used for string processing or in bioinformatics, we show that the covering similarity is particularly relevant to address the detection of anomalies in sequences of system calls.

show abstract

Section: Introductionmentioning

confidence: 99%

Sequence Covering for Efficient Host-Based Intrusion Detection

Marteau

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…To determine whether a behavior is abnormal, existing studies quantify detection results with statistical or probabilistic methods by comparing with the normal pattern. Similarly, there are many algorithms, such as Bayesian reference, 15 edit distance, 16 Markov transfer, 10 fuzzy logic, 17 and kernel. 18 Note that the storage structure of patterns makes a significant impact on the performance of the detection algorithms.…”

Section: Introductionmentioning

confidence: 99%

EADetection: An efficient and accurate sequential behavior anomaly detection approach over data streams

Cheng

Wang

Zhou

et al. 2018

International Journal of Distributed Sensor Networks

View full text Add to dashboard Cite

Due to the increasing arriving rate and complex relationship of behavior data streams, how to detect sequential behavior anomaly in an efficient and accurate manner has become an emerging challenge. However, most of the existing literature simply calculates the anomaly score for segmented sequence, and there is limited work going deep to investigate data stream segment and structural relationship. Moreover, existing studies cannot meet efficiency requirements because of large number of projected subsequences. In this article, we propose EADetection, an efficient and accurate sequential behavior anomaly detection approach over data streams. EADetection adopts time interval and fuzzy logic-based correlation to segment event stream adaptively based on rolling window. Through dynamic projection space-based fast pruning, large number of repeated patterns are reduced to improve detection efficiency. Meanwhile, EADetection calculates the anomaly score by top-k pattern-based abnormal scoring based on directed loop graph-based storage strategy, which ensures the accuracy of detection. Specially, we design and implement a streaming anomaly detection system based on EADetection to perform real-time detection. Extensive experiments confirm that EADetection can achieve real time and improve accuracy, significantly reduces latency by 36.8% and reduces false positive rate by 6.4% compared with existing approach.

show abstract

Implementation System of Network User Abnormal Behavior Detection Algorithm Based on Data Layering

Zhu

Gan

2021

2021 Fifth International Conference on I-Smac (IoT in Social, Mobile, Analytics and Cloud) (I-Smac)

View full text Add to dashboard Cite

Improved Edit Distance Method for System Call Anomaly Detection

Cited by 8 publications

References 6 publications

Sequence Covering for Efficient Host-Based Intrusion Detection

Sequence Covering for Efficient Host-Based Intrusion Detection

EADetection: An efficient and accurate sequential behavior anomaly detection approach over data streams

Implementation System of Network User Abnormal Behavior Detection Algorithm Based on Data Layering

Contact Info

Product

Resources

About