ASIA Main Page
Call for Papers
Best Paper Awards
NYS Cyber Security Conf.
Directions & Parking
UAlbany Business Website
Want to Sponsor?
Years for Selection: 2006 - 2007 - 2008 - 2009 - 2010 - 2011 - 2012 - 2013 - 2014|
Lookahead Pairs and Full Sequences: A Tale of Two Anomoly Detection Methods
Hajime Inoue and Anil Somayaji
Sequence-based analysis has been both a widely imitated and widely criticized approach to anomaly detection. In virtually all of the follow-up work to Forrest et al. (1996), though, the distinction between the initially proposed “lookahead pairs” and the follow-on “full sequence”analysis methods has been overlooked. We have discovered that this oversight is significant: specifically,here we demonstrate that, on previously published and well-studied datasets, lookahead pairs produce significantly fewer false positives. Although lower false positive rates make lookahead pairs an attractive system call modeling technique, their usefulness may be compromised by anincreased vulnerability to mimicry attacks. This threat can be mitigated through the use of larger sequences. Here we show that lookahead pairs produce relatively few false alarms even with longer sequences (n > 10); we also demonstrate a new technique, random schema masks,which permits the use of even longer sequences. With these new results and techniques, we conclude that the lookahead pair method should be considered as one of the benchmark techniques for modeling system calls.See the ASIA ‘07 Proceedings for the complete papers...
I do not fear computers. I fear the lack of them.
- Isaac Asimov
Just as drivers who share the road must also share responsibility for safety, we all now share the same global network, and thus must regard computer security as a necessary social responsibility. To me, anyone unwilling to take simple security precautions is a major, active, part of the problem.
- Fred Langa
In theory, one can build provably secure systems. In theory, theory can be applied to practice, but in practice, it can’t.
- M. Dacier