5th European Symposium on Research in Computer Security (ESORICS 98)
Fixed vs. Variable-Length Patterns for Detecting Suspicious Process Behavior
Hervé Debar, Marc Dacier, Mehdi Nassehi, Andreas Wespi
Keywords :
Abstract : This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. These models can be used for intrusion detection purposes. In a previous work, we presented a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Using this method, we propose various techniques to generate either fixed-length of variable-length patterns. We show the advantages and drawbacks of each technique, based on results of the experiments we have run on our testbed.
(Pages 1-15)