Annual Symposium on Information Assurance >> ASIA

Share

Navigation Menu
ASIA Main Page
Call for Papers
Organizing Committee
Symposium Proceedings
Best Paper Awards
Keynote Speakers
Author/Presenter Info.
Reviewers
NYS Cyber Security Conf.
Directions & Parking
Accomodations
EISO Website
UAlbany Business Website
Pictures
Contact Us
Want to Sponsor?
End of Menu

Connect

Twitter logo image Facebook logo image YouTube logo image
Years for Selection: 2006 - 2007 - 2008 - 2009 - 2010 - 2011 - 2012 - 2013 - 2014

Lookahead Pairs and Full Sequences: A Tale of Two Anomoly Detection Methods
Hajime Inoue and Anil Somayaji
Carleton University

Sequence-based analysis has been both a widely imitated and widely criticized approach to anomaly detection. In virtually all of the follow-up work to Forrest et al. (1996), though, the distinction between the initially proposed “lookahead pairs” and the follow-on “full sequence”analysis methods has been overlooked. We have discovered that this oversight is significant: specifically,here we demonstrate that, on previously published and well-studied datasets, lookahead pairs produce significantly fewer false positives. Although lower false positive rates make lookahead pairs an attractive system call modeling technique, their usefulness may be compromised by anincreased vulnerability to mimicry attacks. This threat can be mitigated through the use of larger sequences. Here we show that lookahead pairs produce relatively few false alarms even with longer sequences (n > 10); we also demonstrate a new technique, random schema masks,which permits the use of even longer sequences. With these new results and techniques, we conclude that the lookahead pair method should be considered as one of the benchmark techniques for modeling system calls.

See the ASIA ‘07 Proceedings for the complete papers...
Important Dates

I do not fear computers. I fear the lack of them.

- Isaac Asimov

Just as drivers who share the road must also share responsibility for safety, we all now share the same global network, and thus must regard computer security as a necessary social responsibility. To me, anyone unwilling to take simple security precautions is a major, active, part of the problem.

- Fred Langa

In theory, one can build provably secure systems. In theory, theory can be applied to practice, but in practice, it can’t.

- M. Dacier