Temporal Signatures for Intrusion DetectionReport
We introduce a new method for detecting intrusions based on the temporal behavior of applications. It builds on an existing method of application intrusion detection developed at the University of New Mexico that uses a system call sequence as a signature. Intrusions are detected by comparing the signature of the intrusion and that of the normal application. But when the system call sequences generated by the intrusion and the normal application are sufficiently similar, this method cannot work. By extending system call signature to incorporate temporal information related to the application, we form a richer signature. Analysis shows that the temporal behavior for many applications is relatively stable. We exclude high variance data when creating a normal database to characterize an application with a temporal signature. It can then be the basis for future comparisons in an intrusion detection system. This paper discusses experiments that test the effectiveness of the temporal signature on different applications, alternative intrusions, and in various environments. The results show that by choosing appropriate analysis methods and experimentally adjusting the parameters, intrusions are readily detected. Finally, we give some comparisons between the temporal signature method and the system call method.
Note: Abstract extracted from PDF text
All rights reserved (no additional license for public reuse)
Jones, Anita, and Song Li. "Temporal Signatures for Intrusion Detection." University of Virginia Dept. of Computer Science Tech Report (2001).
University of Virginia, Department of Computer Science