Audit trail patterns generated on behalf of a Unix process can be used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [Proc. 1996 IEEE Symp. on Research in Security and Privacy, pp. 120--128], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.
By: A. Wespi, M. Dacier and H. Debar
Published in: Recent Advances in Intrusion Detection - Lecture Notes in Computer Science ed. by H. Debar, L. Mé, S.F. Wu. , Berlin, Springer-Verlag, vol.1907, p.110-29 in 2000
Please obtain a copy of this paper from your local library. IBM cannot distribute this paper externally.
Questions about this service can be mailed to reports@us.ibm.com .