Investigating intrusion detection systems that use trails of system calls

Author

Amer, Suhair Hafez ; Hamilton, John A.

Author_Institution

Dept. of Comput. Sci. & Software Eng., Auburn Univ., Auburn, AL

fYear

2008

fDate

16-18 June 2008

Firstpage

377

Lastpage

384

Abstract

Three intrusion detection systems that use trails of system calls have been investigated. The three techniques used to generate the pattern database have been adapted from sequence method, lookahead-pairs method and variable-length-with-overlap-relationship method. Testing against Trojan horse and denial of service attacks was analyzed. None of the systems is capable of defeating the system-call denial-of-service-attack. Modification is necessary to indicate maximum threshold value for the number of times a pattern may be contiguously repeated. Furthermore, Lookahead-pairs method had the best space cost performance with a window size less than 24.

Keywords

computer networks; security of data; telecommunication network management; telecommunication security; Trojan horse; denial-of-service attacks; intrusion detection system; lookahead-pairs method; maximum threshold; pattern database; sequence method; system call trails; variable-length-with-overlap-relationship method; Computer crime; Computer science; Costs; Databases; Hamming distance; Intrusion detection; Invasive software; Monitoring; Software engineering; Testing; Host-based intrusion detection; lookahead-pairs method; sequence method; variable length with overlap relationship method;

fLanguage

English

Publisher

ieee

Conference_Titel

Performance Evaluation of Computer and Telecommunication Systems, 2008. SPECTS 2008. International Symposium on

Conference_Location

Edinburgh

Print_ISBN

978-1-56555-320-0

Type

conf

Filename

4667587