Modeling System Calls for Intrusion Detection with Dynamic Window Sizes

Eleazar Eskin; Wenke Lee; Salvatore Stolfo

Modeling System Calls for Intrusion Detection with Dynamic Window Sizes
Eskin, Eleazar
Lee, Wenke
Stolfo, Salvatore
Computer Science
Persistent URL:
DISCEX'01: DARPA Information Survivability Conference & Exposition II: proceedings: 12-14 June, 2001, Anaheim, California, vol. 1 (Los Alamitos, Calif.: IEEE Computer Society, 2001), pp. 165-175.
We extend prior research on system call anomaly detection modeling methods for intrusion detection by incorporating dynamic window sizes. The window size is the length of the subsequence of a system call trace which is used as the basic unit for modeling program or process behavior. In this work we incorporate dynamic window sizes and show marked improvements in anomaly detection. We present two methods for estimating the optimal window size based on the available training data. The first method is an entropy modeling method which determines the optimal single window size for the data. The second method is a probability modeling method that takes into account context dependent window sizes. A context dependent window size model is motivated by the way that system calls are generated by processes. Sparse Markov transducers (SMTs) are used to compute the context dependent window size model. We show over actual system call traces that the entropy modeling methods lead to the optimal single window size. We also show that context dependent window sizes outperform traditional system call modeling methods.
Computer science
Publisher DOI:
Item views
text | xml
Suggested Citation:
Eleazar Eskin, Wenke Lee, Salvatore Stolfo, 2001, Modeling System Calls for Intrusion Detection with Dynamic Window Sizes, Columbia University Academic Commons, http://hdl.handle.net/10022/AC:P:8721.

Center for Digital Research and Scholarship at Columbia University Libraries | Terms of Use | Copyright