  |
Zurich Research Laboratory |
|||||||||||||||
 |
|
|||||||||||||||
|
Zurich Research Laboratory |
|||||||||||||||
|
|
|||||||||||||||
GSAL ::
Past Projects ::
There are Unix processes whose normal behavior can be modeled by a set of typical patterns, a pattern being a subsequence of the audit events that a process can generate. Examples of such processes are network services such as ftp or sendmail. Intrusion-detection systems that make use of this observation first need to build a table of representative patterns. The patterns are determined by letting the process invoke as many subcommands as possible, then extracting the patterns from the corresponding sequences of audit events. During real-time operation, a pattern-matching algorithm is applied to cover on the fly the audit events generated by the process examined.
An intrusion is assumed to exercise abnormal paths in the executable code. The abnormal paths correspond to sequences of audit events that cannot or only partly be covered by the entries in the pattern table. Subsequences of audit events that cannot be matched are therefore an indication of an attack.
For this work, we used the Teiresias pattern discovery algorithm developed by I. Rigoutsos et al. to extract variable-length patterns out of these sequences.
The resulting implementation of this project was called DaemonWatcher.
|
| About IBM | Privacy | Terms of use | Contact |