The use of program execution traces to detect intrusions has proven to be a successful strategy. Existing systems that employ this approach are anomaly detectors, meaning that they model a program’s normal behavior and signal deviations from that behavior. Unfortunately, many program-based exploits of NT systems use specialized malicious executables. Anomaly detection systems cannot deal with such programs because there is no standard of “normalcy” that they deviate from. This paper is a preliminary report on an attempt to remedy that situation. We report on a prototype system that learns to identify specific program behaviors. Though the goal is to identify malicious behavior, in this paper we report on experiments seeking to identify the behavior of the web-browser, since we did not have enough exemplars of malicious behavior to use as training data. Using automatically generated finite automata, we search for features in execution traces that allow us to distinguish browsers from other programs. In our experiments, we find that this technique does, in fact, allow us to distinguish traces Internet Explorer from traces of programs that are not web browsers, after training with Netscape and a different set of non-browsers.
CITATION STYLE
Michael, C., & Ghosh, A. (2000). Using finite automata to mine execution data for intrusion detection: A preliminary report. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 1907, pp. 66–79). Springer Verlag. https://doi.org/10.1007/3-540-39945-3_5
Mendeley helps you to discover research relevant for your work.