Academic Commons

Articles

Modeling System Calls for Intrusion Detection with Dynamic Window Sizes

Eskin, Eleazar; Lee, Wenke; Stolfo, Salvatore

We extend prior research on system call anomaly detection modeling methods for intrusion detection by incorporating dynamic window sizes. The window size is the length of the subsequence of a system call trace which is used as the basic unit for modeling program or process behavior. In this work we incorporate dynamic window sizes and show marked improvements in anomaly detection. We present two methods for estimating the optimal window size based on the available training data. The first method is an entropy modeling method which determines the optimal single window size for the data. The second method is a probability modeling method that takes into account context dependent window sizes. A context dependent window size model is motivated by the way that system calls are generated by processes. Sparse Markov transducers (SMTs) are used to compute the context dependent window size model. We show over actual system call traces that the entropy modeling methods lead to the optimal single window size. We also show that context dependent window sizes outperform traditional system call modeling methods.

Subjects

Files

More About This Work

Academic Units
Computer Science
Published Here
May 3, 2010

Notes

DISCEX'01: DARPA Information Survivability Conference & Exposition II: proceedings: 12-14 June, 2001, Anaheim, California, vol. 1 (Los Alamitos, Calif.: IEEE Computer Society, 2001), pp. 165-175.

Academic Commons provides global access to research and scholarship produced at Columbia University, Barnard College, Teachers College, Union Theological Seminary and Jewish Theological Seminary. Academic Commons is managed by the Columbia University Libraries.