정보처리학회논문지C (The KIPS Transactions:PartC)

한국정보처리학회 (Korea Information Processing Society)
권호 표지
DOI QR코드

DOI QR Code

침입탐지를 위한 X2 거리기반 다변량 분석기법을 이용한 프로그램 행위 프로파일링

Profiling Program Behavior with X2 distance-based Multivariate Analysis for Intrusion Detection

  • 김정일 (전남대학교 대학원 전산학과) ;
  • 김용민 (전남대학교 리눅스시스템 보안연구센터 Post-doc.) ;
  • 서재현 (목포대학교 정보공학부) ;
  • 노봉남 (전남대학교 컴퓨터정보학부)
  • 발행 : 2003.08.01
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

프로그램 행위기반 침입탐지 기법은 데몬 프로그램이나 루트 권한으로 실행되는 프로그램이 발생시키는 시스템 호출들을 분석하고 프로그램 행위 프로파일을 구축하여 잠재적인 공격을 효과적으로 탐지한다. 그러나 각 프로그램마다 매우 큰 프로파일이 구축되어야 하는 문제점이 있다. 본 논문은 프로파일의 크기를 줄이기 위해, 프로그램 행위 프로파일링 및 이상행위 탐지에 X$^2$ 거리기반 다변량 분석 기법을 응용하였다. 실험 결과, 프로파일을 비교적 작게 유지하면서 탐지율에서는 의미있는 결과를 보였다.

Intrusion detection techniques based on program behavior can detect potential intrusions against systems by analyzing system calls made by demon programs or root-privileged programs and building program profiles. But there is a drawback : large profiles must be built for each program. In this paper, we apply $X^2$ distance-based multivariate analysis to profiling program behavior and detecting abnormal behavior in order to reduce profiles. Experiment results show that profiles are relatively small and the detection rate is significant.

키워드

참고문헌

  1. S. Axelsson, 'Intrusion detection systems: A survey and taxonorny,' Technical report. Department of Computer Engneering, chalmers University of Technology, Goteborg, Sweden, 2000
  2. S. Noel, D. Wijesekera and C. Youman, 'Modem Intrusion Lctection, Data Mining, and Degrees of Attack Guilt,' Applications of Data Mining in Computer Security, Kluwer Academic Publishers, 2002
  3. S. Kumar and E. H. Spafford, 'A Software Architecture to Support Misuse Intrusion Detection,' Proceedings of the 18th National Information Security Conference, pp.194-204, 1995
  4. A. K. Ghosh, A. Schwarzbard and M. Shatz, 'Learning program behavior profiles for intrusion detection,' Proceedings of the 1st UNENIX Workshop on Intrusion Detection and Network Monitoring, April, 1999
  5. C. Krugel, T. Toth and E. Kirda, 'Service Specific Anomaly Detection for Network Intrusion Detection,' Symposium on Applied Computing (SAC), ACM Digital Library, March 2002 https://doi.org/10.1145/508791.508835
  6. A. K. Ghosh, J. Wanken and F. charron, 'Detecting anomalous and unknown intrusions against programs,' Proceedings of the 1998 Annual computer Security Applications conference(ACSAC '98), 1998 https://doi.org/10.1109/CSAC.1998.738646
  7. S. Forrest, S. Hofmeyr, A. Somayaji and T. Longstaff, 'A sense of self for unix processes, In IEEE Symposium on Security and privacy,' pp.120-128, 1996 https://doi.org/10.1109/SECPRI.1996.502675
  8. S. A. Hofrneyr, A. Somayaji and S. Forrest, 'Intrusion Detection using Sequences of System Calls,' Journal of Computer Security, Vol.6, pp.151-180, 1998
  9. C. Warrender, S. Forrest and B. Pearlmutter, 'Detecting Intrusions Using System Calls: Alternative Data Models,' 1999 IEEE Symposium on Security and Privacy, pp.133-145, 1999 https://doi.org/10.1109/SECPRI.1999.766910
  10. C. Ko, G. Fink and K. Levitt, 'Execution monitoring of security-critical programs in distributed systems : A specificatin-based approach,' Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp.134-144, 1997 https://doi.org/10.1109/SECPRI.1997.601332
  11. C. Ko, G. Fink, K. Levitt, 'Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring,' Proceedings of the 1994 Computer Security Applications Conference, 1994 https://doi.org/10.1109/CSAC.1994.367313
  12. D. Wagner and R. Dean, 'Intrusion detection via static analysis,' In IEEE Symposium on Security and Privacy, IEEE Computer Society, 2002 https://doi.org/10.1109/SECPRI.2001.924296
  13. A. Wespi, M. Dacier and H. Debara, 'Intrusion detection using variable-length audit trail patterns,' Recent Advances in Intrusion Detection(RAID 2000), pp.110-129, 2000
  14. W. Lee and S. Stolfo, 'Learning Patterns from Unix Process Execution Traces for Intrusion Detection,' AAAI Workshop: AI Approaches to Fraud Detection and RISK Management, pp.50-56, July, 1997
  15. N. Ye, Q. Chen, S. Vilbert, 'Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection,' IEEE Transactions of computers, Vol.51, No.7, pp.810-820, July, 2002 https://doi.org/10.1109/TC.2002.1017701
  16. D. Montgomery, 'Introduction to Statistical Quality Control,' John wiley & Sons, 2000
  17. C. A. Lowry, W. H. Woodall, C. W. Champ and S. E. Rigdon, 'A Multivariate Exponentially Weighted Moving Average Chart,' Technometrics, 34, pp.46-53, 1992 https://doi.org/10.2307/1269551
  18. S. Forrest, Computer immune systems data sets, http://www.cs.unm.edu/~immsec/data-sets.htm. 1997