Efficient context-sensitive intrusion detection based on state transition table

Jingyu Hua, Mingchu Li, Yizhi Ren, Kouichi Sakurai

Research output: Contribution to journalArticle

Abstract

Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VP- Static model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (SiT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STE model improves the space efficiency of the VPStatic model without decreasing its high precision and time effi ciency. Experiments show that for three test programs, memory uses of our STE models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.

Original languageEnglish
Pages (from-to)255-264
Number of pages10
JournalIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
VolumeE94-A
Issue number1
DOIs
Publication statusPublished - Jan 2011

Fingerprint

Intrusion detection
State Transition
Intrusion Detection
Table
Model
Context
Program Analysis
Transition Systems
Space Complexity
Static analysis
False Alarm
Static Analysis
High Accuracy
Data storage equipment

All Science Journal Classification (ASJC) codes

  • Signal Processing
  • Computer Graphics and Computer-Aided Design
  • Electrical and Electronic Engineering
  • Applied Mathematics

Cite this

Efficient context-sensitive intrusion detection based on state transition table. / Hua, Jingyu; Li, Mingchu; Ren, Yizhi; Sakurai, Kouichi.

In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E94-A, No. 1, 01.2011, p. 255-264.

Research output: Contribution to journalArticle

@article{d9c03d91621c482eb676c75df4a3a1b2,
title = "Efficient context-sensitive intrusion detection based on state transition table",
abstract = "Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VP- Static model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (SiT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STE model improves the space efficiency of the VPStatic model without decreasing its high precision and time effi ciency. Experiments show that for three test programs, memory uses of our STE models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.",
author = "Jingyu Hua and Mingchu Li and Yizhi Ren and Kouichi Sakurai",
year = "2011",
month = "1",
doi = "10.1587/transfun.E94.A.255",
language = "English",
volume = "E94-A",
pages = "255--264",
journal = "IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences",
issn = "0916-8508",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "1",

}

TY - JOUR

T1 - Efficient context-sensitive intrusion detection based on state transition table

AU - Hua, Jingyu

AU - Li, Mingchu

AU - Ren, Yizhi

AU - Sakurai, Kouichi

PY - 2011/1

Y1 - 2011/1

N2 - Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VP- Static model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (SiT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STE model improves the space efficiency of the VPStatic model without decreasing its high precision and time effi ciency. Experiments show that for three test programs, memory uses of our STE models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.

AB - Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VP- Static model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (SiT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STE model improves the space efficiency of the VPStatic model without decreasing its high precision and time effi ciency. Experiments show that for three test programs, memory uses of our STE models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.

UR - http://www.scopus.com/inward/record.url?scp=78650964425&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78650964425&partnerID=8YFLogxK

U2 - 10.1587/transfun.E94.A.255

DO - 10.1587/transfun.E94.A.255

M3 - Article

AN - SCOPUS:78650964425

VL - E94-A

SP - 255

EP - 264

JO - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

JF - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

SN - 0916-8508

IS - 1

ER -