Title :
Pairgram: Modeling frequency information of lookahead pairs for system call based anomaly detection
Author :
Hubballi, Neminath
Author_Institution :
Infosys Labs., Bangalore, India
Abstract :
System call sequence based anomaly detection is one of the widely studied model of anomaly detection. There are two ways to model the system call sequences, one as full sequences and the other as lookahead pairs. Recently it has been shown that lookahead pairs perform better than full sequences. In this paper we propose an impurity tolerant model of anomaly detection using system calls called as Pairgram. Pairgram exploits the frequency information of lookahed pairs and build a model of normal behavior. As it is generally assumed that there is a skewed distribution of normal and abnormal sequences, more frequently occurring system call sequences are considered as normal and other way for less frequent sequences. A series of experiments on the University of New Mexico system call dataset demonstrated the effectiveness of Pairgram on impure dataset. Further the model is highly space efficient i.e., it has a constant space complexity of square of alphabet size of the program sequence.
Keywords :
application program interfaces; computational complexity; security of data; software fault tolerance; Pairgram; abnormal sequence skewed distribution; constant space complexity; impurity tolerant model; lookahead pair frequency information modeling; normal sequence skewed distribution; program sequence; system call dataset; system call sequence based anomaly detection; Approximation algorithms; Complexity theory; Indexes; Intrusion detection; Testing; Training; Impurity tolerant models; Intrusion detection system; Lookahead pairs; Program based anomaly detection;
Conference_Titel :
Communication Systems and Networks (COMSNETS), 2012 Fourth International Conference on
Conference_Location :
Bangalore
Print_ISBN :
978-1-4673-0296-8
Electronic_ISBN :
978-1-4673-0297-5
DOI :
10.1109/COMSNETS.2012.6151337
