Fixed- vs. variable-length patterns for detecting suspicious process behavior

Andreas Wespi, Herve Debar, Marc Dacier, Mehdi Nassehi

Research output: Contribution to journalArticlepeer-review

16 Scopus citations


This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. The models can be used for intrusion-detection purposes. First, we present a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Second, we propose various techniques to derive either fixed-length or variable-length patterns from the input data sets. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.
Original languageEnglish (US)
Pages (from-to)159-181
Number of pages23
JournalJournal of Computer Security
Issue number2
StatePublished - Jan 1 2000
Externally publishedYes

ASJC Scopus subject areas

  • Hardware and Architecture
  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Fixed- vs. variable-length patterns for detecting suspicious process behavior'. Together they form a unique fingerprint.

Cite this