Simple, state-based approaches to program-based anomaly detection
- 1 August 2002
- journal article
- Published by Association for Computing Machinery (ACM) in ACM Transactions on Information and System Security
- Vol. 5 (3), 203-237
- https://doi.org/10.1145/545186.545187
Abstract
This article describes variants of two state-based intrusion detection algorithms from Michael and Ghosh [2000] and Ghosh et al. [2000], and gives experimental results on their performance. The algorithms detect anomalies in execution audit data. One is a simply constructed finite-state machine, and the other two monitor statistical deviations from normal program behavior. The performance of these algorithms is evaluated as a function of the amount of available training data, and they are compared to the well-known intrusion detection technique of looking for novel n -grams in computer audit data.Keywords
This publication has 7 references indexed in Scilit:
- Temporal sequence learning and data reduction for anomaly detectionACM Transactions on Information and System Security, 1999
- Information bounds and quick detection of parameter changes in stochastic systemsIEEE Transactions on Information Theory, 1998
- Efficient Learning of Typical Finite Automata from Random WalksInformation and Computation, 1997
- Intrusion detection via system call tracesIEEE Software, 1997
- The design and implementation of tripwirePublished by Association for Computing Machinery (ACM) ,1994
- A survey of intrusion detection techniquesComputers & Security, 1993
- Crytographic limitations on learning Boolean formulae and finite automataPublished by Association for Computing Machinery (ACM) ,1989