Program behavior control is an active detection mechanism. The research of program behavior contro mainly focuses on four aspects: audit data selection, behavior description, the establishment of normal behavior and behavior matching. This paper investigates the event sequence model and proposes the use of LSM(Linux security modules) as an alternative data source to system calls. Based on the data quality analysis and execution results from real systems, the efficiency of the LSM data source is verified from both theoretical and practical points of view Results show that, because of its more refined granularity and its better security relevance, LSM data source is more suitable for the audit events used in event sequence models.
[1]Lian YF. Research of distributed intrusion detection [Ph.D. Thesis]. Hefei: University of Science and Technology of China, 2002(in Chinese with English abstract).
[2]Forrest S, Hofmeyr SA, Somayaji A, Longstaff TA. A sense of self for UNIX processes. In: Proc. of the 1996 IEEE Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 1996. 120-128.
[3]Hofmeyr SA, Forrest S, Somayaji A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1998,6(3):151-180.
[4]Liu HF, Qing SH, Meng Y, Liu WQ. A new audit-based intrusion detection model and its implement mechanism. Acta Electronica Sinica, 2002,30(8): 1167-1171 (in Chinese with English abstract).
[5]Jones A, Li S. Temporal signatures for intrusion detection. In: IEEE Computer Society, ed. Proc. of the 17th Annual Computer Security Applications Conf. New Orleans: IEEE Computer Society Press, 2001. 252-264.
[6]Wagner DA. Static analysis and computer security: New techniques for software assurance [Ph.D. Thesis]. Berkley: University of California, 2000.
[7]Ilgun K, Kemmerer RA, Porras PA. State transition analysis: A rule-based intrusion detection approach. IEEE Trans. on Software Engineering, 1995,21(3):181-199.
[8]Ko C, Fink G, Levitt K. Automated detection of vulnerabilities in privileged programs by execution monitoring. In: Proc. of the 10th Annual Computer Security Applications Conf. Orlando: IEEE Computer Society Press, 1994. 134-144.
[9]Ko C, Ruschitzka M, Levitt K. Execution monitoring of security-critical programs in distributed systems: A specification-based appoach, In: Los Alamitos, ed. Proc. of the 1997 Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 1997.175-187.
[10]Sekar R, Bowen T, Segal M. On preventing intrusions by process behavior monitoring. In: Proc. of the USENIX Intrusion Detection Workshop. Santa Clara: USENIX, 1999. 29-40.
[11]Ye N. A markov chains model of temporal behavior for anomaly detection. In: Proc. of the 2000 IEEE Workshop on Information Assurance and Security. United States Military Academy, West Point: IEEE Press, 2000. 171-174.
[12]Ye N, Xu MM, Emran SM. Probabilistic networks with undirected links for anomaly detection. In: Proc. of the 2000 IEEE Workshop on Information Assurance and Security United States Military Academy. West Point: IEEE Press, 2000. 175-179.
[13]Guo JL, Zhang WM, Cao Y, Xu L. Constructing an expert system rule of intrusion dtection using machine learning. Computer Engineering, 2002,28(7):69-71 (in Chinese with English abstract).
[14]Li X, Ye N. Decision tree classifiers for computer intrusion detection. Journal of Parallel and Distributed Computing Practices,2001,4(2): 179-190.
[15]Lee W, Stolfo SJ. Data mining approaches for intrusion detection. In: Proc. of the 7th USENIX Security Symp. San Antonio:USENIX, 1998.6-9.
[16]Lee W. A data mining framework for constructing features and models for intrusion detection systems [Ph.D. Thesis]. New York:Columbia University, 1999.
[17]Lane T. Hidden Markov models for human/computer interface modeling. In: Proc. of the Int'l AI Society, ed. Proc. of the IJCAI-99Workshop on Learning about Users. Stockholm: International AI Society, 1999.35--44.
[18]Forrest S, Hofmeyr SA. Immunology as information processing. In: Segel LA, Cohen I, eds. Design Principles for the Immune System and Other Distributed Autonomous Systems. New York: Oxford University Press, 2000. 361-387.
[19]Warrender C, Forrest S, Pearlmutter B. Detection intrusion using system calls: Alternative data models. In: Gong L, Reiter MK, eds.Proc. of the 1999 IEEE Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 1999. 133-145.
[20]Sekar R, Uppuluri P. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In: Proc. of the 8th USENIX Security Symposium. Washington: USENIX, 1999.63-78.
[21]Somayaji A. Operating system stability and security through process homeostasis [Ph.D. Thesis]. Albuquerque: University of New Mexico, 2002.
[22]Wright C, Cowan C, Morris J, et al. Linux security modules: General security support for the Linux kernel. In: Proc. of the 11th USENIX Security Symp. San Francisco, 2002. 17-31. http://www.usenix.org/events/sec02/full_papers/wright/wright_html
[23]Lee W, Dong X. Information-Theoretic measures for anomaly detection. In: Needham R, Abadi M, eds. Proc. of the 2001 IEEE Symp. on Security and Privacy. Oakland: IEEE Computer Society Press, 2001. 130-143.