Intrusion detection using variable-length audit trail patterns

Andreas Wespi, Marc Dacier, Hervé Debar

Research output: Chapter in Book/Report/Conference proceedingConference contribution

116 Scopus citations

Abstract

Audit trail patterns generated on behalf of a Unix process canb e used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.
Original languageEnglish (US)
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
PublisherSpringer Verlag
Pages110-129
Number of pages20
ISBN (Print)9783540410850
DOIs
StatePublished - Jan 1 2000
Externally publishedYes

Fingerprint

Dive into the research topics of 'Intrusion detection using variable-length audit trail patterns'. Together they form a unique fingerprint.

Cite this