Read Paper (in PDF)
Song Li, Anita Jones
University of Virginia
USA
We introduce a new method for detecting intrusions based on the temporal behavior of applications. It builds on an existing method of application intrusion detection developed by the University of New Mexico that uses a system call sequence as a signature and detects intrusions by comparing the signature of the intrusion and that of the normal application. But when the system call sequences generated by the intrusion and the normal application are the same, the existing method does not work. By associating the time intervals of system calls with sequences of system calls, we can form a richer signature. Analysis shows that the temporal behavior for certain applications is relatively stable. Excluding high variance data, a normal database characterizing the application can be established as the basis for future comparison. Our new method can detect some intrusions that cannot be detected by the system call sequence signature itself. To make our technique more practical, we provide a quantitative definition of the normal database. We perform experiments to test the effectiveness of the new signature on a variety of different applications, alternate intrusions, and various environments. The results show that by choosing appropriate analysis models and experimentally adjusting the parameters, intrusions can be detected. Finally, we give some comparisons between the new method and the existing method.