The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Generation of Finite Automata for Intrusion Detection

침입탐지를 위한 유한상태기계의 생성 기법

  • 임영환 (라딕스 연구소) ;
  • 위규범 (아주대학교 정보 및 컴퓨터공학부)
  • Published : 2003.04.01
Download PDF
⟨ Previous Next ⟩

Abstract

Although there have been many studies on using finite automata for intrusion detection, it has been a difficult problem to generate compact finite automata automatically. In a previous research an approach to profile normal behaviors using finite automata was proposed. They divided the system call sequence of each process into three parts prefix, main portion, and suffix, and then substituted macros for frequently occurring substrings. However, the procedure was not automatic. In this paper we present algorithms to automatically generate intrusion detection automata from the sequence of system calls resulting from the normal runs of the programs. We also show the effectiveness of the proposed method through experiments.

침입 탐지 기법에 있어서 유한상태기계(finite automata)를 통해 정상 행위를 프로파일링 하는 연구들이 많이 진행되어 왔으나, 자동으로 간결한 형태의 오토마타를 생성하는 것이 매우 어려웠다. 이전 연구에서는 프로세스를 오토마타로 프로파일링 하기 위해 빈번한 시스템 콜 서열(system call sequence)을 매크로(macro)로 치환하고, 이러한 서열을 인식하는 오토마타를 수작업으로 생성하였다. 본 논문에서는 이러한 오토마타를 자동적으로 생성할 수 있도록, 서열 정합(sequence alignment)을 수행하고 스트링으로부터 반복되는 패턴들을 찾아내어 프로세스들로부터 매크로를 추출하고 오토마타를 생성해내는 방법을 제안한다. 생성된 오토마타가 침입탐지에 효과적으로 이용될 수 있음을 실험을 통하여 보였다.

Keywords

References

  1. R. Bace, 'Intrusion Detection,' Macmillan Technical Publishing, pp.91-117, 2000
  2. S. Hofmeyr and S. Forrest, 'Intrusion Detection using Sequences of System Calls,' Journal of Computer Security Vol.6, pp.151-180, 1998
  3. R. Sekar and M. Bendre, 'A Fast Automation-Based Methodfor Detecting Anomalous Program Behaviors,' Proceeding of the 2001 IEEE Symposium on Security and Privacy, pp.144-155, 2001
  4. S. Forrest, 'A Sense of Self for Unix Process,' Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, pp.120-128, 1996 https://doi.org/10.1109/SECPRI.1996.502675
  5. A. Kosoresow, 'Intrustion Detection via System Call Traces, IEEE Software,' Vol.14, No.5, pp.35-42, 1997 https://doi.org/10.1109/52.605929
  6. D. Wagner, 'Intrusion Detection via Static Analysis,' Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp.156-169, 2001 https://doi.org/10.1109/SECPRI.2001.924296
  7. C. Michael, 'Two State-Based Approaches to Program-based Anomaly Detection,' Proceedings of 16th Annual Computer Security Applications Conference, Conference, pp.21-30, 2000 https://doi.org/10.1109/ACSAC.2000.898854
  8. A. Aho, 'Data Structures and Algorithms,' Addison Wesley Publishing, pp.163-169, 1983
  9. J. Vilo, 'Discovering Frequent Patterns from Strings,' Department of Computer Science, University of Helsinki, Technical Report C-1998-9, May, 1998
  10. S. Carlos, 'Introduction to Computational Molecular Biology,' PWS Publishing Company, pp.49-80, 1997
  11. C. Warrender, S. Forrest, and B. Pearlmutter, 'Detecting Intrusions using System Calls : Alternative Data Models,' Proceedings of the IEEE Symposium on Security and Privacy, pp.133-145, 1999 https://doi.org/10.1109/SECPRI.1999.766910
  12. http://www.cs.unm.edu/~immsec/systemcalls.htm