{"title":"Utilizing statistical characteristics of N-grams for intrusion detection","authors":"Zhuowei Li, A. Das, Sukumar Nandi","doi":"10.1109/CYBER.2003.1253494","DOIUrl":null,"url":null,"abstract":"Information and infrastructure security is a serious issue of global concern. As the last line of defense for security infrastructure, intrusion detection techniques are paid more and more attention. In this paper, one anomaly-based intrusion detection technique (ScanAID: Statistical ChAracteristics of N-grams for Anomaly-based Intrusion Detection) is proposed to detect intrusive behaviors in a computer system. The statistical properties in sequences of system calls are abstracted to model the normal behaviors of a privileged process, in which the model is characterized by a vector of anomaly values of N-grams. With a reasonable definition of efficiency parameter, the length of an N-gram and the size of the training dataset are optimized to get an efficient and compact model. Then, with the optimal modeling parameters, the flexibility and efficiency of the model are evaluated by the ROC curves. Our experimental results show that the proposed statistical anomaly detection technique is promising and deserves further research (such as applying it to network environments).","PeriodicalId":130458,"journal":{"name":"Proceedings. 2003 International Conference on Cyberworlds","volume":"103 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2003-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"17","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings. 2003 International Conference on Cyberworlds","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CYBER.2003.1253494","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 17
Abstract
Information and infrastructure security is a serious issue of global concern. As the last line of defense for security infrastructure, intrusion detection techniques are paid more and more attention. In this paper, one anomaly-based intrusion detection technique (ScanAID: Statistical ChAracteristics of N-grams for Anomaly-based Intrusion Detection) is proposed to detect intrusive behaviors in a computer system. The statistical properties in sequences of system calls are abstracted to model the normal behaviors of a privileged process, in which the model is characterized by a vector of anomaly values of N-grams. With a reasonable definition of efficiency parameter, the length of an N-gram and the size of the training dataset are optimized to get an efficient and compact model. Then, with the optimal modeling parameters, the flexibility and efficiency of the model are evaluated by the ROC curves. Our experimental results show that the proposed statistical anomaly detection technique is promising and deserves further research (such as applying it to network environments).
信息和基础设施安全是全球关注的重大问题。入侵检测技术作为安全基础设施的最后一道防线,越来越受到人们的重视。本文提出了一种基于异常的入侵检测技术(ScanAID: Statistical ChAracteristics of N-grams for anomaly-based intrusion detection),用于检测计算机系统中的入侵行为。将系统调用序列中的统计属性抽象为特权进程的正常行为模型,该模型用N-grams异常值向量来表征。通过合理定义效率参数,优化N-gram的长度和训练数据集的大小,得到高效紧凑的模型。然后,利用最优建模参数,通过ROC曲线对模型的灵活性和效率进行评价。实验结果表明,所提出的统计异常检测技术是有前途的,值得进一步研究(例如将其应用于网络环境)。