EEMCS

Home > Publications
Home University of Twente
Education
Research
Prospective Students
Jobs
Publications
Intranet (internal)
 
 Nederlands
 Contact
 Search
 Organisation

EEMCS EPrints Service


25171 A gray-box DPDA-based intrusion detection technique using system-call monitoring
Home Policy Brochure Browse Search User Area Contact Help

Jafarian, J.H. and Abbasi, A. and Safaei Sheikhabadi, S. (2011) A gray-box DPDA-based intrusion detection technique using system-call monitoring. In: Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference, 01-02 Sep 2011, Perth, Australia. pp. 1-12. ACM. ISBN 978-1-4503-0788-8

Full text available as:

PDF
- Univ. of Twente only
687 Kb

Official URL: http://dx.doi.org/10.1145/2030376.2030377

Abstract

In this paper, we present a novel technique for automatic and efficient intrusion detection based on learning program behaviors. Program behavior is captured in terms of issued system calls augmented with point-of-system-call information, and is modeled according to an efficient deterministic pushdown automaton (DPDA). The frequency of visit of each state is captured and statistically analyzed to detect abnormal execution patterns. This approach provides a very accurate learning of program behavior, which avoids a broad class of impossible path exploits. It also allows detection of new classes of attacks such as denial-of-service and brute-force dictionary attacks. We also present a complexity analysis of our model, and show that its time and space complexity is polynomial and fairly comparable to other similar approaches in learning, and hugely better in detection. Moreover, We evaluate our approach experimentally in terms of false positive rate, convergence rate, and performance. Finally, We shall discuss classes of attacks which are detectable and undetectable by our approach.

Item Type:Conference or Workshop Paper (Full Paper, Talk)
Research Group:EWI-DIES: Distributed and Embedded Security
Uncontrolled Keywords:Intrusion Detection, System Call, Host Based
ID Code:25171
Status:Published
Deposited On:23 October 2014
Refereed:Yes
International:Yes
More Information:statistics

Export this item as:

To request a copy of the PDF please email us request copy

To correct this item please ask your editor

Repository Staff Only: edit this item