This paper addresses the problem of creating a pattern table that can be used to model the normal behavior of a given process. The model can be used for intrusion-detection purposes. So far, most of the approaches proposed have been based on fixed-length patterns, although variable-length patterns seem to be more naturally suited to model the normal process behavior. We have developed a technique to build tables of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for the discovery of rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment and compare it with techniques based on fixed-length patterns.
By: Andreas Wespi, Marc Dacier and Herve Debar
Published in: EICAR '99, ed. by U.E. Gattiker, P. Pedersen and K. Petersen. , EICAR, p.1-15 in 1999
Please obtain a copy of this paper from your local library. IBM cannot distribute this paper externally.
Questions about this service can be mailed to reports@us.ibm.com .