Fixed- vs. variable-length patterns for detecting suspicious process behavior

Andreas Wespi, Herve Debar, Marc Dacier, Mehdi Nassehi

Research output: Contribution to journalArticle

15 Citations (Scopus)

Abstract

This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. The models can be used for intrusion-detection purposes. First, we present a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Second, we propose various techniques to derive either fixed-length or variable-length patterns from the input data sets. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.

Original languageEnglish
Pages (from-to)159-181
Number of pages23
JournalJournal of Computer Security
Volume8
Issue number2
Publication statusPublished - 2000
Externally publishedYes

Fingerprint

Intrusion detection
Testbeds
Experiments

ASJC Scopus subject areas

  • Software

Cite this

Fixed- vs. variable-length patterns for detecting suspicious process behavior. / Wespi, Andreas; Debar, Herve; Dacier, Marc; Nassehi, Mehdi.

In: Journal of Computer Security, Vol. 8, No. 2, 2000, p. 159-181.

Research output: Contribution to journalArticle

Wespi, Andreas ; Debar, Herve ; Dacier, Marc ; Nassehi, Mehdi. / Fixed- vs. variable-length patterns for detecting suspicious process behavior. In: Journal of Computer Security. 2000 ; Vol. 8, No. 2. pp. 159-181.
@article{85b9e3e1d6cd4bd9bab422d3557ab826,
title = "Fixed- vs. variable-length patterns for detecting suspicious process behavior",
abstract = "This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. The models can be used for intrusion-detection purposes. First, we present a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Second, we propose various techniques to derive either fixed-length or variable-length patterns from the input data sets. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.",
author = "Andreas Wespi and Herve Debar and Marc Dacier and Mehdi Nassehi",
year = "2000",
language = "English",
volume = "8",
pages = "159--181",
journal = "Journal of Computer Security",
issn = "0926-227X",
publisher = "IOS Press",
number = "2",

}

TY - JOUR

T1 - Fixed- vs. variable-length patterns for detecting suspicious process behavior

AU - Wespi, Andreas

AU - Debar, Herve

AU - Dacier, Marc

AU - Nassehi, Mehdi

PY - 2000

Y1 - 2000

N2 - This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. The models can be used for intrusion-detection purposes. First, we present a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Second, we propose various techniques to derive either fixed-length or variable-length patterns from the input data sets. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.

AB - This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. The models can be used for intrusion-detection purposes. First, we present a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Second, we propose various techniques to derive either fixed-length or variable-length patterns from the input data sets. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.

UR - http://www.scopus.com/inward/record.url?scp=0033715016&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0033715016&partnerID=8YFLogxK

M3 - Article

VL - 8

SP - 159

EP - 181

JO - Journal of Computer Security

JF - Journal of Computer Security

SN - 0926-227X

IS - 2

ER -