By Topic

Intrusion detection based on system calls and homogeneous Markov chains

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $31
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Xinguang, Tian ; Inst. of Computing Technology, Beijing Jiaotong Univ., Beijing 100029, P. R. China; Inst. of Computing Technology, Chinese Academy of Sciences, Beijing 100080, P. R. China ; Miyi, Duan ; Chunlai, Sun ; Wenfa, Li

A novel method for detecting anomalous program behavior is presented, which is applicable to host-based intrusion detection systems that monitor system call activities. The method constructs a homogeneous Markov chain model to characterize the normal behavior of a privileged program, and associates the states of the Markov chain with the unique system calls in the training data. At the detection stage, the probabilities that the Markov chain model supports the system call sequences generated by the program are computed. A low probability indicates an anomalous sequence that may result from intrusive activities. Then a decision rule based on the number of anomalous sequences in a locality frame is adopted to classify the program's behavior. The method gives attention to both computational efficiency and detection accuracy, and is especially suitable for on-line detection. It has been applied to practical host-based intrusion detection systems.

Published in:

Systems Engineering and Electronics, Journal of  (Volume:19 ,  Issue: 3 )