Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2003.10C.4.397

Profiling Program Behavior with X2 distance-based Multivariate Analysis for Intrusion Detection  

Kim, Chong-Il (전남대학교 대학원 전산학과)
Kim, Yong-Min (전남대학교 리눅스시스템 보안연구센터 Post-doc.)
Seo, Jae-Hyeon (목포대학교 정보공학부)
Noh, Bong-Nam (전남대학교 컴퓨터정보학부)
Abstract
Intrusion detection techniques based on program behavior can detect potential intrusions against systems by analyzing system calls made by demon programs or root-privileged programs and building program profiles. But there is a drawback : large profiles must be built for each program. In this paper, we apply $X^2$ distance-based multivariate analysis to profiling program behavior and detecting abnormal behavior in order to reduce profiles. Experiment results show that profiles are relatively small and the detection rate is significant.
Keywords
Intrusion Detection; $X^2$ Distance-based Multivariate Analysis; Program Behavior;
Citations & Related Records
연도 인용수 순위
  • Reference
1 S. Noel, D. Wijesekera and C. Youman, 'Modem Intrusion Lctection, Data Mining, and Degrees of Attack Guilt,' Applications of Data Mining in Computer Security, Kluwer Academic Publishers, 2002
2 S. Kumar and E. H. Spafford, 'A Software Architecture to Support Misuse Intrusion Detection,' Proceedings of the 18th National Information Security Conference, pp.194-204, 1995
3 S. Axelsson, 'Intrusion detection systems: A survey and taxonorny,' Technical report. Department of Computer Engneering, chalmers University of Technology, Goteborg, Sweden, 2000
4 C. Krugel, T. Toth and E. Kirda, 'Service Specific Anomaly Detection for Network Intrusion Detection,' Symposium on Applied Computing (SAC), ACM Digital Library, March 2002   DOI
5 A. K. Ghosh, J. Wanken and F. charron, 'Detecting anomalous and unknown intrusions against programs,' Proceedings of the 1998 Annual computer Security Applications conference(ACSAC '98), 1998   DOI
6 D. Montgomery, 'Introduction to Statistical Quality Control,' John wiley & Sons, 2000
7 A. K. Ghosh, A. Schwarzbard and M. Shatz, 'Learning program behavior profiles for intrusion detection,' Proceedings of the 1st UNENIX Workshop on Intrusion Detection and Network Monitoring, April, 1999
8 S. Forrest, S. Hofmeyr, A. Somayaji and T. Longstaff, 'A sense of self for unix processes, In IEEE Symposium on Security and privacy,' pp.120-128, 1996   DOI
9 C. Ko, G. Fink, K. Levitt, 'Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring,' Proceedings of the 1994 Computer Security Applications Conference, 1994   DOI
10 N. Ye, Q. Chen, S. Vilbert, 'Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection,' IEEE Transactions of computers, Vol.51, No.7, pp.810-820, July, 2002   DOI   ScienceOn
11 S. A. Hofrneyr, A. Somayaji and S. Forrest, 'Intrusion Detection using Sequences of System Calls,' Journal of Computer Security, Vol.6, pp.151-180, 1998
12 C. Warrender, S. Forrest and B. Pearlmutter, 'Detecting Intrusions Using System Calls: Alternative Data Models,' 1999 IEEE Symposium on Security and Privacy, pp.133-145, 1999   DOI
13 C. Ko, G. Fink and K. Levitt, 'Execution monitoring of security-critical programs in distributed systems : A specificatin-based approach,' Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp.134-144, 1997   DOI
14 D. Wagner and R. Dean, 'Intrusion detection via static analysis,' In IEEE Symposium on Security and Privacy, IEEE Computer Society, 2002   DOI
15 A. Wespi, M. Dacier and H. Debara, 'Intrusion detection using variable-length audit trail patterns,' Recent Advances in Intrusion Detection(RAID 2000), pp.110-129, 2000
16 S. Forrest, Computer immune systems data sets, http://www.cs.unm.edu/~immsec/data-sets.htm. 1997
17 W. Lee and S. Stolfo, 'Learning Patterns from Unix Process Execution Traces for Intrusion Detection,' AAAI Workshop: AI Approaches to Fraud Detection and RISK Management, pp.50-56, July, 1997
18 C. A. Lowry, W. H. Woodall, C. W. Champ and S. E. Rigdon, 'A Multivariate Exponentially Weighted Moving Average Chart,' Technometrics, 34, pp.46-53, 1992   DOI   ScienceOn