Intrusion detection using variable-length audit trail patterns

Andreas Wespi, Marc Dacier, Hervé Debar

Research output: Chapter in Book/Report/Conference proceedingConference contribution

85 Citations (Scopus)

Abstract

Audit trail patterns generated on behalf of a Unix process canb e used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
PublisherSpringer Verlag
Pages110-129
Number of pages20
Volume1907
ISBN (Print)9783540410850
Publication statusPublished - 2000
Externally publishedYes
Event3rd International Workshop on Recent Advances in Intrusion Detection, RAID 2000 - Toulouse, France
Duration: 2 Oct 20004 Oct 2000

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume1907
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other3rd International Workshop on Recent Advances in Intrusion Detection, RAID 2000
CountryFrance
CityToulouse
Period2/10/004/10/00

Fingerprint

Audit
Intrusion detection
Intrusion Detection
Testbeds
Table
Testbed
Process Model
Evaluate
Model

Keywords

  • C2 audit trail
  • Functionality verification tests
  • Intrusion detection
  • Pattern discovery
  • Pattern matching
  • Teiresias
  • Variable-length patterns

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Wespi, A., Dacier, M., & Debar, H. (2000). Intrusion detection using variable-length audit trail patterns. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 1907, pp. 110-129). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 1907). Springer Verlag.

Intrusion detection using variable-length audit trail patterns. / Wespi, Andreas; Dacier, Marc; Debar, Hervé.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 1907 Springer Verlag, 2000. p. 110-129 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 1907).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Wespi, A, Dacier, M & Debar, H 2000, Intrusion detection using variable-length audit trail patterns. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 1907, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 1907, Springer Verlag, pp. 110-129, 3rd International Workshop on Recent Advances in Intrusion Detection, RAID 2000, Toulouse, France, 2/10/00.
Wespi A, Dacier M, Debar H. Intrusion detection using variable-length audit trail patterns. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 1907. Springer Verlag. 2000. p. 110-129. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
Wespi, Andreas ; Dacier, Marc ; Debar, Hervé. / Intrusion detection using variable-length audit trail patterns. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 1907 Springer Verlag, 2000. pp. 110-129 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{1e1ef30dcd8942848ea7fab6193a9456,
title = "Intrusion detection using variable-length audit trail patterns",
abstract = "Audit trail patterns generated on behalf of a Unix process canb e used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.",
keywords = "C2 audit trail, Functionality verification tests, Intrusion detection, Pattern discovery, Pattern matching, Teiresias, Variable-length patterns",
author = "Andreas Wespi and Marc Dacier and Herv{\'e} Debar",
year = "2000",
language = "English",
isbn = "9783540410850",
volume = "1907",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "110--129",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - GEN

T1 - Intrusion detection using variable-length audit trail patterns

AU - Wespi, Andreas

AU - Dacier, Marc

AU - Debar, Hervé

PY - 2000

Y1 - 2000

N2 - Audit trail patterns generated on behalf of a Unix process canb e used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.

AB - Audit trail patterns generated on behalf of a Unix process canb e used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.

KW - C2 audit trail

KW - Functionality verification tests

KW - Intrusion detection

KW - Pattern discovery

KW - Pattern matching

KW - Teiresias

KW - Variable-length patterns

UR - http://www.scopus.com/inward/record.url?scp=84944248021&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84944248021&partnerID=8YFLogxK

M3 - Conference contribution

SN - 9783540410850

VL - 1907

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 110

EP - 129

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

PB - Springer Verlag

ER -