|
Abstract - Technical Program - ID 99
Intrusion Detection Through Dynamic Software Measurement
Sebastian Elbaum and John C. Munson, University of Idaho
Abstract
The thrust of this paper is to present a new real-time approach to
detect aberrant modes of system behavior induced by abnormal and
unauthorized system activities. The theoretical foundation for the
research program is based on the study of the software internal
behavior. As a software system is executing, it will express a set of
its many functionalities as sequential events. Each of these
functionalities has a characteristic set of modules that it will
execute. In addition, these module sets will execute with clearly
defined and measurable execution profiles. These profiles change as the
executed functionalities change. Over time, the normal behavior of the
system will be defined by profiles. An attempt to violate the security
of the system will result in behavior that is outside the normal
activity of the system and thus result in a perturbation in the normal
profiles. We will show, through the real-time analysis of the Linux
kernel, that we can detect very subtle shifts in the behavior of a
system.
- View the full text of this paper in
HTML
form and
PDF form.
- If you need the latest Adobe Acrobat Reader, you can download it
from Adobe's
site.
- To become a USENIX Member, please see our Membership Information.
|
Need help? Use our Contacts page.
Technical Program