Using Extended Information to Refine Program Behavior Profile
System call provides the interface between an application and operating system,which is wildly used to detect network intrusions.By the extraction of extended information from system call stack,a new audit event is constructed and is used to refine the program profile in this paper.We name it as l-call.Meanwhile a Chebyshevs inequality based approach is also proposed to measure the anomaly degree which reflects the degree of deviation from the normal behavior due to the intrusions.Compared with system call,l-call has much more granularity to better describe the program behavior.Although the number of l-call is greater than that of system call which will inevitably lead to greater storage overhead,many experiments show that these costs are at an acceptable level,and l-call-based model has acquired more detection performance than systemcall- based model.
extended information l-call Chebyshevs inequality anomaly degree
Feng Xie Yong Peng Dongqing Chen
China Information Technology Security Evaluation Center Beijing,China
国际会议
2012 IEEE 14th International Conference on Communication Technology(2012年第十四届通信技术国际会议(ICCT 2012))
成都
英文
1070-1074
2012-11-09(万方平台首次上网日期,不代表论文的发表时间)