A new intrusion detection method based on process profiling

Y. Okazaki, I. Sato, Shigeki Goto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    27 Citations (Scopus)

    Abstract

    There are two well-known models for intrusion detection-anomaly intrusion detection (AID) model and misuse intrusion detection (MID) model. The former analyzes user behavior and the statistics of a process in a normal situation, and checks whether the system is being used in a different manner. The latter maintains a database of known intrusion techniques and detects intrusion by comparing behavior against the database. An intrusion detection method based on an AID model can detect a new intrusion method, but needs to update the data describing user behavior and statistics in normal usage. We call these information profiles. There are several problems in AID to be addressed. The profiles tend to be large. Detecting intrusion needs a large amount of system resources, like CPU time and memory and disk space. An MID model requires fewer system resources to detect intrusion. However, it cannot detect new, unknown intrusion methods. Our method solves these problems by recording system calls from daemon processes and setuid programs. We improved detection accuracy by adopting a DP matching scheme.

    Original languageEnglish
    Title of host publicationProceedings - 2002 Symposium on Applications and the Internet, SAINT 2002
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages82-90
    Number of pages9
    ISBN (Print)0769514472, 9780769514475
    DOIs
    Publication statusPublished - 2002
    EventSymposium on Applications and the Internet, SAINT 2002 - Nara City, Japan
    Duration: 2002 Jan 282002 Feb 1

    Other

    OtherSymposium on Applications and the Internet, SAINT 2002
    CountryJapan
    CityNara City
    Period02/1/2802/2/1

    Fingerprint

    Intrusion detection
    Statistics
    Program processors
    Computer systems
    Data storage equipment

    Keywords

    • Internet
    • Intrusion detection

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Computer Science Applications

    Cite this

    Okazaki, Y., Sato, I., & Goto, S. (2002). A new intrusion detection method based on process profiling. In Proceedings - 2002 Symposium on Applications and the Internet, SAINT 2002 (pp. 82-90). [994455] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SAINT.2002.994455

    A new intrusion detection method based on process profiling. / Okazaki, Y.; Sato, I.; Goto, Shigeki.

    Proceedings - 2002 Symposium on Applications and the Internet, SAINT 2002. Institute of Electrical and Electronics Engineers Inc., 2002. p. 82-90 994455.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Okazaki, Y, Sato, I & Goto, S 2002, A new intrusion detection method based on process profiling. in Proceedings - 2002 Symposium on Applications and the Internet, SAINT 2002., 994455, Institute of Electrical and Electronics Engineers Inc., pp. 82-90, Symposium on Applications and the Internet, SAINT 2002, Nara City, Japan, 02/1/28. https://doi.org/10.1109/SAINT.2002.994455
    Okazaki Y, Sato I, Goto S. A new intrusion detection method based on process profiling. In Proceedings - 2002 Symposium on Applications and the Internet, SAINT 2002. Institute of Electrical and Electronics Engineers Inc. 2002. p. 82-90. 994455 https://doi.org/10.1109/SAINT.2002.994455
    Okazaki, Y. ; Sato, I. ; Goto, Shigeki. / A new intrusion detection method based on process profiling. Proceedings - 2002 Symposium on Applications and the Internet, SAINT 2002. Institute of Electrical and Electronics Engineers Inc., 2002. pp. 82-90
    @inproceedings{1d65f467083742a281b0b4858b6e78c1,
    title = "A new intrusion detection method based on process profiling",
    abstract = "There are two well-known models for intrusion detection-anomaly intrusion detection (AID) model and misuse intrusion detection (MID) model. The former analyzes user behavior and the statistics of a process in a normal situation, and checks whether the system is being used in a different manner. The latter maintains a database of known intrusion techniques and detects intrusion by comparing behavior against the database. An intrusion detection method based on an AID model can detect a new intrusion method, but needs to update the data describing user behavior and statistics in normal usage. We call these information profiles. There are several problems in AID to be addressed. The profiles tend to be large. Detecting intrusion needs a large amount of system resources, like CPU time and memory and disk space. An MID model requires fewer system resources to detect intrusion. However, it cannot detect new, unknown intrusion methods. Our method solves these problems by recording system calls from daemon processes and setuid programs. We improved detection accuracy by adopting a DP matching scheme.",
    keywords = "Internet, Intrusion detection",
    author = "Y. Okazaki and I. Sato and Shigeki Goto",
    year = "2002",
    doi = "10.1109/SAINT.2002.994455",
    language = "English",
    isbn = "0769514472",
    pages = "82--90",
    booktitle = "Proceedings - 2002 Symposium on Applications and the Internet, SAINT 2002",
    publisher = "Institute of Electrical and Electronics Engineers Inc.",

    }

    TY - GEN

    T1 - A new intrusion detection method based on process profiling

    AU - Okazaki, Y.

    AU - Sato, I.

    AU - Goto, Shigeki

    PY - 2002

    Y1 - 2002

    N2 - There are two well-known models for intrusion detection-anomaly intrusion detection (AID) model and misuse intrusion detection (MID) model. The former analyzes user behavior and the statistics of a process in a normal situation, and checks whether the system is being used in a different manner. The latter maintains a database of known intrusion techniques and detects intrusion by comparing behavior against the database. An intrusion detection method based on an AID model can detect a new intrusion method, but needs to update the data describing user behavior and statistics in normal usage. We call these information profiles. There are several problems in AID to be addressed. The profiles tend to be large. Detecting intrusion needs a large amount of system resources, like CPU time and memory and disk space. An MID model requires fewer system resources to detect intrusion. However, it cannot detect new, unknown intrusion methods. Our method solves these problems by recording system calls from daemon processes and setuid programs. We improved detection accuracy by adopting a DP matching scheme.

    AB - There are two well-known models for intrusion detection-anomaly intrusion detection (AID) model and misuse intrusion detection (MID) model. The former analyzes user behavior and the statistics of a process in a normal situation, and checks whether the system is being used in a different manner. The latter maintains a database of known intrusion techniques and detects intrusion by comparing behavior against the database. An intrusion detection method based on an AID model can detect a new intrusion method, but needs to update the data describing user behavior and statistics in normal usage. We call these information profiles. There are several problems in AID to be addressed. The profiles tend to be large. Detecting intrusion needs a large amount of system resources, like CPU time and memory and disk space. An MID model requires fewer system resources to detect intrusion. However, it cannot detect new, unknown intrusion methods. Our method solves these problems by recording system calls from daemon processes and setuid programs. We improved detection accuracy by adopting a DP matching scheme.

    KW - Internet

    KW - Intrusion detection

    UR - http://www.scopus.com/inward/record.url?scp=1842693637&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=1842693637&partnerID=8YFLogxK

    U2 - 10.1109/SAINT.2002.994455

    DO - 10.1109/SAINT.2002.994455

    M3 - Conference contribution

    AN - SCOPUS:1842693637

    SN - 0769514472

    SN - 9780769514475

    SP - 82

    EP - 90

    BT - Proceedings - 2002 Symposium on Applications and the Internet, SAINT 2002

    PB - Institute of Electrical and Electronics Engineers Inc.

    ER -