Finding the Vocabulary of Program Behavior Data for Anomaly Detection

C. C. Michael

doi:10.1109/DISCEX.2003.1194881

D
DISCEX
2003
DARPA Information Survivability Conference and Exposition - Volume I
Abstract - Finding the Vocabulary of Program Behavior Data for Anomaly Detection

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by C. C. Michael

DARPA Information Survivability Conference and Exposition - Volume I

Finding the Vocabulary of Program Behavior Data for Anomaly Detection

Washington, DC

April 22-April 24

ISBN: 0-7695-1897-4

	ASCII Text	x
	C. C. Michael, "Finding the Vocabulary of Program Behavior Data for Anomaly Detection," DARPA Information Survivability Conference and Exposition,, vol. 1, pp. 152, DARPA Information Survivability Conference and Exposition - Volume I, 2003.

	BibTex	x
	@article{ 10.1109/DISCEX.2003.1194881, author = {C. C. Michael}, title = {Finding the Vocabulary of Program Behavior Data for Anomaly Detection}, journal ={DARPA Information Survivability Conference and Exposition,}, volume = {1}, year = {2003}, issn = {2003102155}, pages = {152}, doi = {http://doi.ieeecomputersociety.org/10.1109/DISCEX.2003.1194881}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - DARPA Information Survivability Conference and Exposition, TI - Finding the Vocabulary of Program Behavior Data for Anomaly Detection SN - 2003102155 SP EP A1 - C. C. Michael, PY - 2003 KW - null VL - 1 JA - DARPA Information Survivability Conference and Exposition, ER -

C. C. Michael, Cigital Labs

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/DISCEX.2003.1194881

Application-based anomaly detectors construct a base-line model of normal application behavior, and deviations from that behavior are interpreted as signs of a possible intrusion. But current anomaly detectors monitor application behavior at a high level of detail, and many irrelevant variations in that behavior can cause false alarms. This paper discusses the preprocessing of audit data ultimately used by application-based anomaly detection systems. The goal is to create a more abstract picture of program behavior, filtering out many irrelevant details. Our specific approach automatically identifies repeating subsequences of behavior events and sequences of events that always occur together. The main benefit of this preprocessing technique can be used with a wide variety of program-based anomaly detectors, but we present empirical results showing how it improves the performance of the well-known stide anomaly detection system.

Citation:

C. C. Michael, "Finding the Vocabulary of Program Behavior Data for Anomaly Detection," discex, vol. 1, pp.152, DARPA Information Survivability Conference and Exposition - Volume I, 2003

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.