Simple, state-based approaches to program-based anomaly detection

1 August 2002

journal article
Published by Association for Computing Machinery (ACM) in ACM Transactions on Information and System Security

Vol. 5 (3), 203-237
https://doi.org/10.1145/545186.545187

Abstract

This article describes variants of two state-based intrusion detection algorithms from Michael and Ghosh [2000] and Ghosh et al. [2000], and gives experimental results on their performance. The algorithms detect anomalies in execution audit data. One is a simply constructed finite-state machine, and the other two monitor statistical deviations from normal program behavior. The performance of these algorithms is evaluated as a function of the amount of available training data, and they are compared to the well-known intrusion detection technique of looking for novel n -grams in computer audit data.

Keywords

This publication has 7 references indexed in Scilit:

Temporal sequence learning and data reduction for anomaly detection
ACM Transactions on Information and System Security, 1999
Information bounds and quick detection of parameter changes in stochastic systems
IEEE Transactions on Information Theory, 1998
Efficient Learning of Typical Finite Automata from Random Walks
Information and Computation, 1997
Intrusion detection via system call traces
IEEE Software, 1997
The design and implementation of tripwire
Published by Association for Computing Machinery (ACM) ,1994
A survey of intrusion detection techniques
Computers & Security, 1993
Crytographic limitations on learning Boolean formulae and finite automata
Published by Association for Computing Machinery (ACM) ,1989

Cited by 64 articles