This Article 
 Bibliographic References 
 Add to: 
17th Annual Computer Security Applications Conference (ACSAC'01)
Temporal Signatures for Intrusion Detection
New Orleans, Lousiana
December 10-December 14
ISBN: 0-7695-1405-7
A. Jones, University of Virginia
S. Li, University of Massachusetts
We introduce a new method for detecting intrusions based on the temporal behavior of applications. It builds on an existing method of application intrusion detection developed at the University of New Mexico that uses a system call sequence as a signature. Intrusions are detected by comparing the signature of the intrusion and that of the normal application. But when the system call sequences generated by the intrusion and the normal application are sufficiently similar, this method cannot work. By extending system call signature to incorporate temporal information related to the application, we form a richer signature. Analysis shows that the temporal behavior for many applications is relatively stable. We exclude high variance data when creating a normal database to characterize an application with a temporal signature. It can then be the basis for future comparisons in an intrusion detection system. This paper discusses experiments that test the effectiveness of the temporal signature on different applications, alternative intrusions, and in various environments. The results show that by choosing appropriate analysis methods and experimentally adjusting the parameters, intrusions are readily detected. Finally, we give some comparisons between the temporal signature method and the system call method.
Index Terms:
security, application intrusion detection, temporal signature
A. Jones, S. Li, "Temporal Signatures for Intrusion Detection," acsac, pp.0252, 17th Annual Computer Security Applications Conference (ACSAC'01), 2001
Usage of this product signifies your acceptance of the Terms of Use.