|
Abstract - Technical Program - ID 99
Learning Program Behavior Profiles for Intrusion Detection
Anup K. Ghosh, Aaron Schwartzbard, and Michael Schatz, Reliable
Software Technologies Corp.
Abstract
Profiling the behavior of programs can be a useful reference for
detecting potential intrusions against systems. This paper presents
three anomaly detection techniques for profiling program behavior that
evolve from memorization to generalization. The goal of monitoring
program behavior is to be able to detect potential intrusions by
noting irregularities in program behavior. The techniques start from a
simple equality matching algorithm for determining anomalous behavior,
and evolve to a feed-forward backpropagation neural network for
learning program behavior, and finally to an Elman network for
recognizing
recurrent features in program execution traces. In order to detect
future attacks against systems, intrusion detection systems must be
able to generalize from past observed behavior. The goal of this
research is to employ machine learning techniques that can generalize
from past observed behavior to the problem of intrusion detection.
The performance of these systems is compared by testing them with data
provided by the DARPA Intrusion Detection Evaluation program.
- View the full text of this paper in
HTML form and
PDF form.
- If you need the latest Adobe Acrobat Reader, you can download it
from Adobe's
site.
- To become a USENIX Member, please see our Membership Information.
|
Need help? Use our Contacts page.
Technical Program