Fixed vs. Variable-length patterns for detecting suspicious process behavior

Hervé Debar; Marc Dacier; Mehdi Nassehi; Andreas Wespi

doi:10.1007/BFb0055852

Fixed vs. Variable-length patterns for detecting suspicious process behavior

Hervé Debar
, Marc Dacier
, Mehdi Nassehi
, Andreas Wespi

S.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. These models can be used for intrusion detection purposes. In a previous work, we presented a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Using this method, we propose various techniques to generate either fixed-length or variable-length patterns. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.

Original language	English
Title of host publication	Computer Security — ESORICS 1998 - 5th European Symposium on Research in Computer Security, Proceedings
Editors	Yves Deswarte, Jean-Jacques Quisquater, Dieter Gollmann, Catherine Meadows
Publisher	Springer Verlag
Pages	1-15
Number of pages	15
ISBN (Print)	3540650040, 9783540650041
DOIs	https://doi.org/10.1007/BFb0055852
Publication status	Published - 1 Jan 1998
Externally published	Yes
Event	5th European Symposium on Research in Computer Security, ESORICS 1998 - Louvain-la-Neuve, Belgium Duration: 16 Sept 1998 → 18 Sept 1998

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	1485
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	5th European Symposium on Research in Computer Security, ESORICS 1998
Country/Territory	Belgium
City	Louvain-la-Neuve
Period	16/09/98 → 18/09/98

Access to Document

10.1007/BFb0055852

Cite this

Debar, H., Dacier, M., Nassehi, M., & Wespi, A. (1998). Fixed vs. Variable-length patterns for detecting suspicious process behavior. In Y. Deswarte, J.-J. Quisquater, D. Gollmann, & C. Meadows (Eds.), Computer Security — ESORICS 1998 - 5th European Symposium on Research in Computer Security, Proceedings (pp. 1-15). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 1485). Springer Verlag. https://doi.org/10.1007/BFb0055852

Debar, Hervé ; Dacier, Marc ; Nassehi, Mehdi et al. / Fixed vs. Variable-length patterns for detecting suspicious process behavior. Computer Security — ESORICS 1998 - 5th European Symposium on Research in Computer Security, Proceedings. editor / Yves Deswarte ; Jean-Jacques Quisquater ; Dieter Gollmann ; Catherine Meadows. Springer Verlag, 1998. pp. 1-15 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{d242d167e2ff4f18a801943403a3b278,

title = "Fixed vs. Variable-length patterns for detecting suspicious process behavior",

abstract = "This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. These models can be used for intrusion detection purposes. In a previous work, we presented a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Using this method, we propose various techniques to generate either fixed-length or variable-length patterns. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.",

author = "Herv{\'e} Debar and Marc Dacier and Mehdi Nassehi and Andreas Wespi",

note = "Publisher Copyright: {\textcopyright} Springer-Verlag Berlin Heidelberg 1998.; 5th European Symposium on Research in Computer Security, ESORICS 1998 ; Conference date: 16-09-1998 Through 18-09-1998",

year = "1998",

month = jan,

day = "1",

doi = "10.1007/BFb0055852",

language = "English",

isbn = "3540650040",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "1--15",

editor = "Yves Deswarte and Jean-Jacques Quisquater and Dieter Gollmann and Catherine Meadows",

booktitle = "Computer Security — ESORICS 1998 - 5th European Symposium on Research in Computer Security, Proceedings",

}

Debar, H, Dacier, M, Nassehi, M & Wespi, A 1998, Fixed vs. Variable-length patterns for detecting suspicious process behavior. in Y Deswarte, J-J Quisquater, D Gollmann & C Meadows (eds), Computer Security — ESORICS 1998 - 5th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 1485, Springer Verlag, pp. 1-15, 5th European Symposium on Research in Computer Security, ESORICS 1998, Louvain-la-Neuve, Belgium, 16/09/98. https://doi.org/10.1007/BFb0055852

Fixed vs. Variable-length patterns for detecting suspicious process behavior. / Debar, Hervé; Dacier, Marc; Nassehi, Mehdi et al.
Computer Security — ESORICS 1998 - 5th European Symposium on Research in Computer Security, Proceedings. ed. / Yves Deswarte; Jean-Jacques Quisquater; Dieter Gollmann; Catherine Meadows. Springer Verlag, 1998. p. 1-15 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 1485).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Fixed vs. Variable-length patterns for detecting suspicious process behavior

AU - Debar, Hervé

AU - Dacier, Marc

AU - Nassehi, Mehdi

AU - Wespi, Andreas

N1 - Publisher Copyright: © Springer-Verlag Berlin Heidelberg 1998.

PY - 1998/1/1

Y1 - 1998/1/1

N2 - This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. These models can be used for intrusion detection purposes. In a previous work, we presented a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Using this method, we propose various techniques to generate either fixed-length or variable-length patterns. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.

AB - This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. These models can be used for intrusion detection purposes. In a previous work, we presented a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Using this method, we propose various techniques to generate either fixed-length or variable-length patterns. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.

UR - https://www.scopus.com/pages/publications/84958752009

U2 - 10.1007/BFb0055852

DO - 10.1007/BFb0055852

M3 - Conference contribution

AN - SCOPUS:84958752009

SN - 3540650040

SN - 9783540650041

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 1

EP - 15

BT - Computer Security — ESORICS 1998 - 5th European Symposium on Research in Computer Security, Proceedings

A2 - Deswarte, Yves

A2 - Quisquater, Jean-Jacques

A2 - Gollmann, Dieter

A2 - Meadows, Catherine

PB - Springer Verlag

T2 - 5th European Symposium on Research in Computer Security, ESORICS 1998

Y2 - 16 September 1998 through 18 September 1998

ER -

Debar H, Dacier M, Nassehi M, Wespi A. Fixed vs. Variable-length patterns for detecting suspicious process behavior. In Deswarte Y, Quisquater JJ, Gollmann D, Meadows C, editors, Computer Security — ESORICS 1998 - 5th European Symposium on Research in Computer Security, Proceedings. Springer Verlag. 1998. p. 1-15. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/BFb0055852

Fixed vs. Variable-length patterns for detecting suspicious process behavior

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this