Characterizing the Behavior of a Program Using Multiple-Length N-Grams

Abstract

Some recent advances in intrusion detection are based on detecting anomalies in program behavior, as characterized by the sequence of kernel calls the program makes. Specifically, traces of kernel calls are collected during a training period. The substrings of fixed length N (for some N) of those traces are called N-grams. The set of N-grams occurring during normal execution has been found to discriminate effectively between normal behavior of a program and the behavior of the program under attack. The N-gram characterization, while effective, requires the user to choose a suitable value for N. This paper presents an alternative characterization, as a finite state machine whose states represent predictive sequences of different lengths. An algorithm is presented to construct the finite state machine from training data, based on traditional string-processing data structures but employing some novel techniques.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2005
Accession Number
ADA436198

Entities

People

  • Carla Marceau

Tags

Communities of Interest

  • Cyber
  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Abstracts
  • Algorithms
  • Allergy And Immunology
  • Automata
  • Denial Of Service Attack
  • Detection
  • Detectors
  • False Alarms
  • Immune System
  • Information Operations
  • Intrusion
  • Intrusion Detection
  • Machines
  • New Mexico
  • Operating Systems
  • Sequences
  • Training

Fields of Study

  • Computer science

Readers

  • Computational Linguistics
  • Sensor Fusion and Tracking Systems.
  • Structural Health Monitoring of Composite Structures.