Fixed- vs. variable-length patterns for detecting suspicious process behavior

Article type: Research Article

Authors: Wespi, Andreas^{; *} | Debar, Hervé | Dacier, Marc | Nassehi, Mehdi

Affiliations: IBM Research, Zurich Research Laboratory, Säumerstrasse 4, CH-8803 Rüschlikon, Switzerland. E-mail: anw@zurich.ibm.com, deb@zurich.ibm.com, dac@zurich.ibm.com, mmn@zurich.ibm.com

Correspondence: [*] Corresponding author. Tel.: +41 1 724 8624; Fax: +41 1 724 8953; E-mail: anw@zurich.ibm.com.

Abstract: This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. The models can be used for intrusion-detection purposes. First, we present a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Second, we propose various techniques to derive either fixed-length or variable-length patterns from the input data sets. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.

DOI: 10.3233/JCS-2000-82-305

Journal: Journal of Computer Security, vol. 8, no. 2-3, pp. 159-181, 2000