Learning Patterns from Unix Process Execution Traces for Intrusion Detection

Lee, Wenke; Stolfo, Salvatore; Chan, Philip K.

In this paper we describe our preliminary experiments to extend the work pioneered by Forrest (see Forrest et al. 1996) on learning the (normal and abnormal) patterns of Unix processes. These patterns can be used to identify misuses of and intrusions in Unix systems. We formulated machine learning tasks on operating system call sequences of normal and abnormal (intrusion) executions of the Unix sendmail program. We show that our methods can accurately distinguish all abnormal executions of sendmail from the normal ones provided in a set of test traces. These preliminary results indicate that machine learning can play an important role by generalizing stored sequence information to perhaps provide broader intrusion detection services. The experiments also reveal some interesting and challenging problems for future research.


More About This Work

Academic Units
Computer Science
Published Here
May 4, 2010


AI approaches to fraud detection & risk management: papers from the 1997 AAAI Workshop: July 27, 1997, Providence, Rhode Island (Menlo Park, Calif.: AAAI Press, 1997).