Detecting%20Intrusions%20Using%20System%20Calls:%20Alternative%20Data%20Models

1
Detecting Intrusions Using System Calls
Alternative Data Models

• C. Warrender, S. Forrest and B. Pearlmutter
• Univ. of New Mexico
• Presented by Jinghua Hu
• CS791B Seminar 2002

2
Outline

• Introduction
• Data Sets
• Experimental Design
• Experimental Results
• Discussions
• References

3
Introduction

• Motivation
• Some intrusions can be detected by monitoring
  system call traces collected from active
  privileged processes
• UNM first proposed the representation of normal
  profiles of programs by short sequences of system
  calls
• Compare alternative models in the performance for
  anomaly detection

4
Data Sets

• Data Collection
• Write a patch for Redhat Linux kernel to audit
  the system calls ( no arguments ) generated by a
  specified program
• Monitor programs that run with privileges
• Total number of system calls 200

5
Data Sets
6
Data Sets

• Programs vs. Intrusions

lpr Symbolic link
named, xlock Buffer overflow
login, ps Trojan
inetd Denial of Service
stide DoS attack
sendmail Only normal data
7
Applicable Methods

• Frequency based methods
• Enumerating Sequences
• STIDE
• Data-Mining Approaches
• RIPPER
• Finite State Machines
• HMM

8
STIDE

• Sequence Time-Delay Embedding
• Motivation
• System call traces have local patterns
• Use fixed length patterns to represent the normal
  profiles of a program
• Simple to compute and manipulate

9
STIDE

• Training
• Build a normal database consisting of all unique
  contiguous sequences of a fixed length K
• Example K 6
• 1 2 3 4 3 4 1 2 3 4 3 4 1 ?
• 123434, 234341, 343412, 434123, 341234, 412343

10
STIDE

• Testing
• Put a sliding window of length K along the test
  traces
• Compare the current short sequence to the normal
  database
• Mismatch sequences not found in normal
• Many intrusions produce anomalous sequences in
  temporally local clusters

11
STIDE

• Locality Frame Counts (LFC)
• Check for mismatches within a Locality Frame ( a
  time window covering the most recent N system
  calls/sequences )
• Raise alarm when Locality Frame Counts is above
  a threshold

12
T-Stide

• T-Stide Stide with freq. threshold
• Training
• Sequences are defined as rare if they account
  for less than 0.001 of the normal
• Testing
• Mismatch rare sequences are counted as
  mismatches in addition to those not included in
  database

13
RIPPER

• RIPPER
• Repeated Incremental Pruning to Produce Error
  Reduction
• A rule learning system for classification
• Rule set of attributes ? target_class
• For system call sequences of length K,
• ( C1, C2, , CK-1 ) ? CK

14
RIPPER

• Training
• Extract a list of all unique sequences of a fixed
  length
• Turn into RIPPER samples in the form of
  attribute/target pairs
• RIPPER generates a list of rules to describe the
  normal sequences

15
RIPPER

• For each rule, define Violation Score as the
  percentage of times that the rule is correctly
  applied to training examples when all conditions
  are met
• High-Confidence rule
• if the violation score gt 80
• High confidence implies high support in training
  data

16
RIPPER

• Testing
• Mismatch sequences that violate a
  high-confidence rule
• Aggregate the mismatches into Locality Frame
  Counts
• Raise alarm when LFC is above a threshold

17
Hidden Markov Models

• Hidden Markov Models
• a doubly embedded stochastic process
• Represented by
• Parameter setting
• of states of unique system calls
• large amount of computation
• May not be a good choice

18
Hidden Markov Models

• Training
• Estimates the values for unknown parameters from
  a given observation
• Use Baum-Welch Re-estimation Algorithm
• Initialization randomized / specified
• Testing (standard)
• Estimate the likelihood that the test data are
  generated from the given model

19
Hidden Markov Models

• Testing (alternative)
• Assumption Intrusive traces show more system
  calls that would require unusual state
  transitions or symbol outputs
• Set a threshold for the one-step probability of
  transitions/outputs as the normal threshold

20
Hidden Markov Models

• Mismatch a system call that could only have been
  produced by a transition or output with
  probability below the threshold
• For test traces, keep track of all possible paths
  and check for mismatches at each individual
  position
• Mismatches are not aggregated into LFC, so each
  mismatch is counted as an alarm

21
Performance Criteria

• General Criteria
• True Positive a/(ac)
• False Positive b/(bd)
• Miss Rate 1 - TruePositive c/(ac)

Intrusion Normal
Classified as Intrusion (positive) a b
Classified as Normal (negative) c d
Truth of Data
Classification Results
22
Performance Criteria

• In this paper,
• True Positive
• Percentage of intrusive traces from which at
  least one alarm is raised
• Use trace as the unit
• False Positive
• Percentage of False Alarm system calls ( or short
  sequences ) within a normal test trace
• Use system call as the unit

23
Experimental Results

• Parameter settings
• Sequence Length 6
• Locality Frame size 20
• Results
• Tradeoff between True and False Positives
• Relationship between True/False Positives and
  Thresholds
• False Positives across data sets

24
Tradeoff True False Positives
25
True False Positives vs. Threshold
26
False Positives across Data Sets

• A threshold is chosen for each method that makes
  true positives above 95

27
Discussions

• The results suggest that there is no single best
  choice for all the data sets
• HMM works best for most data sets
• T-stide seems to be a bad choice
• Large/complicated programs such as sendmail are
  difficult to model
• Simpler methods (STIDE) is comparable with HMMs
  with lower costs

28
Discussions

• Open issues
• Performance metrics are not equivalent
• When to stop collecting data
• Scalability of models
• What data streams are the most effective for
  intrusion detection
• More

29
Discussions

• Other related works
• Variable Length Patterns ( IBM )
• Neural Networks ( RST )
• Markov Chains ( CMU )
• Temporal Signatures ( Arizona )

30
References

• C. Warrender, S Forrest, B. Pearlmutter.
  Detecting Intrusions Using System Calls
  Alternative Data Models. 1999 IEEE Symposium on
  Security and Privacy pp. 133-145. 1999.
• W. Lee, S.J. Stolfo and P.K. Chan. Learning
  Patterns from Unix Process Execution Traces for
  Intrusion Detection. In AAAI Workshop on AI
  Approaches to Fraud Detection and Risk
  Management, pages 50-56, 1997.
• A. Wespi, M.Dacier and H. Debar. Intrusion
  Detection Using Variable-Length Audit Trail
  Patterns. RAID 2000, LNCS 1907, pp. 110-129, 2000
• Jha, Somesh Tan, Kymie M. C. and Maxion, Roy A.
  Markov Chains, Classifiers and Intrusion
  Detection. 14th IEEE Computer Security
  Foundations Workshop, Cape Breton, Nova Scotia,
  Canada, pp. 206-219, 11-13 June 2001.