Intrusion detection using variable-length audit trail patterns

Andreas Wespi, Marc Dacier, Hervé Debar

Research output: Chapter in Book/Report/Conference proceedingConference contribution

87 Citations (Scopus)

Abstract

Audit trail patterns generated on behalf of a Unix process canb e used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
PublisherSpringer Verlag
Pages110-129
Number of pages20
Volume1907
ISBN (Print)9783540410850
Publication statusPublished - 2000
Externally publishedYes
Event3rd International Workshop on Recent Advances in Intrusion Detection, RAID 2000 - Toulouse, France
Duration: 2 Oct 20004 Oct 2000

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume1907
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other3rd International Workshop on Recent Advances in Intrusion Detection, RAID 2000
CountryFrance
CityToulouse
Period2/10/004/10/00

Keywords

  • C2 audit trail
  • Functionality verification tests
  • Intrusion detection
  • Pattern discovery
  • Pattern matching
  • Teiresias
  • Variable-length patterns

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Fingerprint Dive into the research topics of 'Intrusion detection using variable-length audit trail patterns'. Together they form a unique fingerprint.

  • Cite this

    Wespi, A., Dacier, M., & Debar, H. (2000). Intrusion detection using variable-length audit trail patterns. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 1907, pp. 110-129). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 1907). Springer Verlag.