一种基于快速自动机的异常程序行为检测方法

R. Sekar, M. Bendre, Dinakar Dhurjati, P. Bollineni
{"title":"一种基于快速自动机的异常程序行为检测方法","authors":"R. Sekar, M. Bendre, Dinakar Dhurjati, P. Bollineni","doi":"10.1109/SECPRI.2001.924295","DOIUrl":null,"url":null,"abstract":"Anomaly detection on system call sequences has become perhaps the most successful approach for detecting novel intrusions. A natural way for learning sequences is to use a finite-state automaton (FSA). However previous research indicates that FSA-learning is computationally expensive, that it cannot be completely automated or that the space usage of the FSA may be excessive. We present a new approach that overcomes these difficulties. Our approach builds a compact FSA in a fully automatic and efficient manner, without requiring access to source code for programs. The space requirements for the FSA is low - of the order of a few kilobytes for typical programs. The FSA uses only a constant time per system call during the learning as well as the detection period. This factor leads to low overheads for intrusion detection. Unlike many of the previous techniques, our FSA-technique can capture both short term and long term temporal relationships among system calls, and thus perform more accurate detection. This enables our approach to generalize and predict future behaviors from past behaviors. As a result, the training periods needed for our FSA based approach are shorter. Moreover false positives are reduced without increasing the likelihood of missing attacks. This paper describes our FSA based technique and presents a comprehensive experimental evaluation of the technique.","PeriodicalId":20502,"journal":{"name":"Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001","volume":"2 4 1","pages":"144-155"},"PeriodicalIF":0.0000,"publicationDate":"2001-05-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"639","resultStr":"{\"title\":\"A fast automaton-based method for detecting anomalous program behaviors\",\"authors\":\"R. Sekar, M. Bendre, Dinakar Dhurjati, P. Bollineni\",\"doi\":\"10.1109/SECPRI.2001.924295\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Anomaly detection on system call sequences has become perhaps the most successful approach for detecting novel intrusions. A natural way for learning sequences is to use a finite-state automaton (FSA). However previous research indicates that FSA-learning is computationally expensive, that it cannot be completely automated or that the space usage of the FSA may be excessive. We present a new approach that overcomes these difficulties. Our approach builds a compact FSA in a fully automatic and efficient manner, without requiring access to source code for programs. The space requirements for the FSA is low - of the order of a few kilobytes for typical programs. The FSA uses only a constant time per system call during the learning as well as the detection period. This factor leads to low overheads for intrusion detection. Unlike many of the previous techniques, our FSA-technique can capture both short term and long term temporal relationships among system calls, and thus perform more accurate detection. This enables our approach to generalize and predict future behaviors from past behaviors. As a result, the training periods needed for our FSA based approach are shorter. Moreover false positives are reduced without increasing the likelihood of missing attacks. This paper describes our FSA based technique and presents a comprehensive experimental evaluation of the technique.\",\"PeriodicalId\":20502,\"journal\":{\"name\":\"Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001\",\"volume\":\"2 4 1\",\"pages\":\"144-155\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2001-05-14\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"639\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SECPRI.2001.924295\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SECPRI.2001.924295","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 639

摘要

对系统调用序列进行异常检测可能已经成为检测新型入侵最成功的方法。学习序列的自然方法是使用有限状态自动机(FSA)。然而,先前的研究表明,FSA学习在计算上是昂贵的,它不能完全自动化,或者FSA的空间使用可能过多。我们提出了一种克服这些困难的新方法。我们的方法以全自动和高效的方式构建了一个紧凑的FSA,而不需要访问程序的源代码。对FSA的空间要求很低——对于典型的程序来说只有几千字节。FSA在学习和检测期间每个系统调用只使用恒定的时间。这一因素降低了入侵检测的开销。与以前的许多技术不同,我们的fsa技术可以捕获系统调用之间的短期和长期时间关系,从而执行更准确的检测。这使我们的方法能够从过去的行为中概括和预测未来的行为。因此,我们基于FSA的方法所需的培训时间更短。此外,在不增加错过攻击的可能性的情况下,减少了误报。本文描述了我们基于FSA的技术,并对该技术进行了全面的实验评估。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
A fast automaton-based method for detecting anomalous program behaviors
Anomaly detection on system call sequences has become perhaps the most successful approach for detecting novel intrusions. A natural way for learning sequences is to use a finite-state automaton (FSA). However previous research indicates that FSA-learning is computationally expensive, that it cannot be completely automated or that the space usage of the FSA may be excessive. We present a new approach that overcomes these difficulties. Our approach builds a compact FSA in a fully automatic and efficient manner, without requiring access to source code for programs. The space requirements for the FSA is low - of the order of a few kilobytes for typical programs. The FSA uses only a constant time per system call during the learning as well as the detection period. This factor leads to low overheads for intrusion detection. Unlike many of the previous techniques, our FSA-technique can capture both short term and long term temporal relationships among system calls, and thus perform more accurate detection. This enables our approach to generalize and predict future behaviors from past behaviors. As a result, the training periods needed for our FSA based approach are shorter. Moreover false positives are reduced without increasing the likelihood of missing attacks. This paper describes our FSA based technique and presents a comprehensive experimental evaluation of the technique.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信