This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. These models can be used for intrusion detection purposes. In a previous work, we presented a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Using this method, we propose various techniques to generate either fixed-length or variable-length patterns. We show the advantages and drawbacks of each technique, based on the results of the experiments
we have run on our testbed.
reprinted in Journal of Computer Security, vol. 8, p. 159-68, 2000
By: H. Debar, M. Dacier, M. Nassehi and A. Wespi
Published in: Proceedings of 5th European Symposium on Research in Computer Security (ESORICS '98) ed. by J.-J. Quisquater, Y. Deswarte, C. Meadows, D. GollmannBerlin, Heidelberg, Springer-Verlag, vol.1485, p.2-15 in 2000
Please obtain a copy of this paper from your local library. IBM cannot distribute this paper externally.
Questions about this service can be mailed to reports@us.ibm.com .