CDM Seminar Series 2002-03


Incremental Bayesian Segmentation of Sequences of System Calls for Intrusion Detection
Joseph Hastings
Graduate Student
Clinical Decision Making Research Group - MIT LCS

April 2, 2003

A variety of attacks on computer systems involve the hijacking of a server process and the subsequent manipulation of the system under the auspices of that process. In principle, such attacks could be detected by learning the typical behavior of the process and then monitoring its activity for abnormal behavior, which would represent a possible intrusion. Previous research in the field of intrusion detection has suggested that sequences of system calls may be used to classify behavior of a unix process as normal or abnormal. In this project Incremental Bayesian Segmentation (IBS) is applied to sequences of system calls generated by privileged unix processes such as sendmail, in at attempt to efficiently learn their normal behavior. The result of the IBS training is a library of Markov matrices representing various patterns of normal behavior. Any subsequent activity that cannot be attributed to one of the learned Markov processes is considered a potential intrusion and would trigger a relevant response as part of an Intrusion Detection System.

In this presentation I will discuss the results of IBS training and classification on a variety of known sendmail attacks. The dataset was generated by researchers at the University of New Mexico and has been used in a number of similar studies. A primary goal of this project is to achieve results similar to those obtained using a Hidden Markov Model. A major advantage of IBS over HMMs is that it can be performed in an on-line manner with far fewer computations. The hope is that an IBS system could be deployed to monitor the real-time behavior of a unix system without adversely affecting the system's performance.



Back to CDM Abstract Archives