Browse > Article
http://dx.doi.org/10.6109/jkiice.2011.15.5.1066

A Design of Time-based Anomaly Intrusion Detection Model  

Shin, Mi-Yea (충북대학교)
Jeong, Yoon-Su (한남대학교 산업기술연구소)
Lee, Sang-Ho (충북대학교 소프트웨어학과)
Publication Information
Journal of the Korea Institute of Information and Communication Engineering / v.15, no.5, 2011 , pp. 1066-1072 More about this Journal
Abstract
In the method to analyze the relationship in the system call orders, the normal system call orders are divided into a certain size of system call orders to generates gene and use them as the detectors. In the method to consider the system call parameters, the mean and standard deviation of the parameter lengths are used as the detectors. The attack of which system call order is normal but the parameter values are changed, such as the format string attack, cannot be detected by the method that considers only the system call orders, whereas the model that considers only the system call parameters has the drawback of high positive defect rate because of the information obtained from the interval where the attack has not been initiated, since the parameters are considered individually. To solve these problems, it is necessary to develop a more efficient learning and detecting method that groups the continuous system call orders and parameters as the approach that considers various characteristics of system call related to attacking simultaneously. In this article, we detected the anomaly of the system call orders and parameters by applying the temporal concept to the system call orders and parameters in order to improve the rate of positive defect, that is, the misjudgment of anomaly as normality. The result of the experiment where the DARPA data set was employed showed that the proposed method improved the positive defect rate by 13% in the system call order model where time was considered in comparison with that of the model where time was not considered.
Keywords
Host based IDS; System call sequence; System call argument; false-positive; false-negative;
Citations & Related Records
Times Cited By KSCI : 4  (Citation Analysis)
연도 인용수 순위
1 S.Forrest, S. Hofmeyr and A. Somayaj, "Computer Immunology[review article]", In Communications of the ACM Vol. 40, No 10, pp. 176-187, 2007.
2 이종성, 채수환, "특권프로세스의 시스템 호출 추적을 사용하는 침입 탐지 시스템의 설계:면역 시스템 접근", 한국정보보호센터 '99 정보보호 우수논문집, pp. 181-206, 1999
3 이종성, "특권 프로세스의 시스템 호출 추적을 통한 침입 탐지:면역시스템 접근", 한국항공대학교, 2000.
4 S. Forrest, Steven A. Hofmeyr, Anil Somayaji, Thomas A. Longstaff, "A Sense of Self for Unix Process", In Proc. of the 1996 IEEE Symposium on Research in Security and Privacy, Los Alamos, CA, pp. 120-128. IEEE Computer Society Press.
5 J. B. D. Cabrera, L. Lewis, and R.K. Mehara. "Detection and classification of intrusion and faults using sequences of system calls". ACM SIGMOD Record, Vol.30 No.4, 2001.
6 신미예, 원일용, 이상호, "타임 윈도우 기반의 T-N2SCD 탐지 모델 구현", 한국해양통신학회 논문지, 제13권 제11호, 2009.
7 M. Markou and S. Singh, "Novelty detection : a review-part 1: statistical approaches", Signal Processing, Vol. 83 No. 12, pp. 2481-2497, 2003.   DOI   ScienceOn
8 Anil Somayaji and Stephanie Forrest. "Automated response using systemcall delays". In Proc. of the 9th USENIX Security Symposium, Denver, CO, Aug. 2000.
9 박봉구, "시스템 호출 기반의 사운덱스 알고리즘을 이용한 신경망과 N-gram 기법에 대한 이상 탐지 성능 분석", 인터넷정보학회논문지 제6권 제5호, pp. 45 - 56, 2005.
10 E. Tsyrklevich and B. Yee. "Dynamic detection and prevention of race conditions in file accesses", USENIX Security Symposium, Washington, DC, USA pp. 17-17, Aug. 2003.
11 ttp://www.ll.mit.edu/mission/
12 N.Ye and Q.Chen. "An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems". Quality and Reliability Engineering International, Vol. 17 No.2, pp. 105-112, 2001.   DOI   ScienceOn
13 G. Tandon and P. Chan. "Learning rules from system call arguments and sequences for anomaly detection". In ICDM Workshop on Data Mining for Computer Security (DMSEC), pp 20-29, 2003.
14 G. Casas-Garriga, P. Diaz, and J.L. Balcazar. "ISSA : An integreated system for sequence analysis". Technical Report DELIS-TR-0103, Universitat Paderborn, 2005.
15 황현욱, 김민수, 노봉남, " 감사로그 상관관계를 통한 호스트기반의 침입탐지 시스템", 한국정보보호학회 논문지, 제13권 제3호, pp. 81-90, 2003.
16 C. Kruegel, D. Mutz, F.Valeur, and G. Vigna. "On the Detection of Anomalous System Call Arguments". In Proc. of the 2003 European Symposium on Research in Computer Security, Gjovik, Norway, Oct. 2003.
17 신미예, 전승흡, 이상호, "유전 알고리즘 기법을 이용한 HA 모델 설계", 컴퓨터정보학회 논문지 , 제14 권 제10호, pp. 160 - 166, 2009.
18 D. Wagner and P. Soto. "Mimicry attacks on host based intrusion detection systems". In ACM conference on Computer and Communications Security (CCS), 2002.