Behavioral Distance Measurement using Hidden Markov Models

Author

Debin GAO, Singapore Management UniversityFollow
Michael K. Reiter
Dawn SONG

Publication Type

Conference Proceeding Article

Publication Date

9-2006

Abstract

The behavioral distance between two processes is a measure of the deviation of their behaviors. Behavioral distance has been proposed for detecting the compromise of a process, by computing its behavioral distance from another process executed on the same input. Provided that the two processes are diverse and so unlikely to fall prey to the same attacks, an increase in behavioral distance might indicate the compromise of one of them. In this paper we propose a new approach to behavioral distance calculation using a new type of Hidden Markov Model. We also empirically evaluate the intrusion detection capability of our proposal when used to measure the distance between the system-call behaviors of diverse web servers. Our experiments show that it detects intrusions with substantially greater accuracy and with performance overhead comparable to that of prior proposals.

Keywords

intrusion detection, anomaly detection, system call, behavioral distance

Discipline

Information Security

Research Areas

Information Security and Trust

Publication

Recent Advances in Intrusion Detection: 9th International Symposium, RAID 2006 Hamburg, Germany, September 20-22, 2006 Proceedings

Volume

4219

First Page

19

Last Page

40

ISBN

9783540397250

Identifier

10.1007/11856214_2

Publisher

Springer Verlag

City or Country

Hamburg, Germany

Citation

GAO, Debin; Reiter, Michael K.; and SONG, Dawn. Behavioral Distance Measurement using Hidden Markov Models. (2006). Recent Advances in Intrusion Detection: 9th International Symposium, RAID 2006 Hamburg, Germany, September 20-22, 2006 Proceedings. 4219, 19-40.
Available at: https://ink.library.smu.edu.sg/sis_research/1244

Additional URL

http://dx.doi.org/10.1007/11856214_2