Abstract
Intrusion detection aims at raising an alarm any time the security of an IT system gets compromised. Though highly successful, Intrusion Detection Systems are all susceptible of mimicry attacks [1]. A mimicry attack is a variation of an attack that attempts to pass by as normal behaviour. In this paper, we introduce a method which is capable of successfuly detecting a significant and interesting sub-class of mimicry attacks. Our method makes use of a word network [2, 3]. A word network conveniently decomposes a pattern matching problem into a chain of smaller, noise-tolerant pattern matchers, thereby making it more tractable. A word network is realised as a finite state machine, where every state is a hidden Markov model. Our mechanism has shown a 93% of effectivity, with a false positive rate of 3%.
This research was partially supported by three grants: FRIDA, CONACYT 47557 and ITESM CCEM-0302-05.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Wagner, D., Soto, P.: Mimicry Attacks on Host Based Intrusion Detection Systems. In: Proceedings of the Ninth ACM Conference on Computer and Communications Security, Washington, DC, USA, pp. 255–265. ACM, New York (2002)
Young, S., Evermann, G., Kershaw, D., Moore, G., Odell, J., Ollason, D., Povey, D., Valtchev, V., Woodland, P.: The HTK Book for HTK Version 3.2, Cambridge University Engineering Department (2002)
Pereira, F., Riley, M.: Speech Recognition by Composition of Weighted Finite Automata. In: Roche, E., Schabes, Y. (eds.) Finite-State Language Processing, pp. 431–453. MIT press, Cambridge (1997)
Brown, M.: RNA Modeling Using Stochastic Context-Free Grammars. PhD thesis, University of California, Santa Cruz (1999)
Manning, C.D., Schütze, H.: Foundations of Statistical Natural Language Processing. MIT Press, Massachusets Institute of Technology, Cambridge, Massachusets 02142 (1999)
Rabiner, L.R.: A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceedings of the IEEE 77, 257–286 (1989)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society Press, Los Alamitos (1999)
Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of STIDE, an Anomaly-Based Intrusion Detector. In: Proceedings of IEEE Symposium on Security & Privacy, pp. 188–201 (2002)
Qiao, Y., Xin, X., Bin, Y., Ge, S.: Anomaly Intrusion Detection Method Based on HMM. Electronic Letters 38, 663–664 (2002)
Yeung, D., Ding, Y.: Host-Based Intrusion Detection Using Dynamic and Static Behavioral Models. Pattern Recognition 36, 229–243 (2003)
Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master’s thesis, Massachusetts Institute of Technology (1998)
Lippman, R.P., Cunningham, R.K., Fried, D.J., Graf, I., Kendall, K.R., Webster, S.E., Zissman, M.A.: Results of the DARPA 1998 Offline Intrusion Detection Evaluation. In: RAID 1999 Conference (1999) (slides presentation)
Giffin, J., Jha, S., Miller, B.: Efficient Context-Sensitive Intrusion Detection. In: Proceedings of the 11th Annual Network and Distributed Systems Security Symposium (NDSS), San Diego, California, The Internet Society (2004)
Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer Intrusion: Detecting Masquerades. Statistical Science 16, 1–17 (2001) (to appear)
Maxion, R., Townsend, T.: Masquerade Detection Using Truncated Command Lines. In: Proceedings of the International Conference on Dependable Systems & Networks, Washington, DC, pp. 219–228. IEEE, Los Alamitos (2002)
Scott, C., Joel, B., Boleslaw, S., Eric, B.: Intrusion Detection: A Bioinformatics Approach. In: Proceeding of the 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, pp. 24–33 (2003)
Boleslaw, S., Yongqiang, Z.: Recursive Data Mining for Masquerade Detection and Author Identification. In: Proceedings of the 5th IEEE System, Man and Cybernetics Information Assurance Workshop, West Point, NY, pp. 424–431. IEEE, Los Alamitos (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Godínez, F., Hutter, D., Monroy, R. (2006). On the Use of Word Networks to Mimicry Attack Detection. In: Müller, G. (eds) Emerging Trends in Information and Communication Security. ETRICS 2006. Lecture Notes in Computer Science, vol 3995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11766155_30
Download citation
DOI: https://doi.org/10.1007/11766155_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34640-1
Online ISBN: 978-3-540-34642-5
eBook Packages: Computer ScienceComputer Science (R0)