Automatic Generation of Finite State Automata for Detecting Intrusions Using System Call Sequences

摘要

Analysis of system call sequences generated by privileged programs has been proven to be an effective way of detecting intrusions. There are many approaches of analyzing system call sequences including N-grams, rule induction, finite automata, and Hidden Markov Models. Among these techniques use of finite automata has the advantage of analyzing whole sequences without imposing heavy load to the system. There have been various studies on how to construct finite automata modeling normal behavior of privileged programs. However, previous studies had disadvantages of either constructing finite automata manually or requiring system information other than system calls. In this paper we present fully automatized algorithms to construct finite automata recognizing sequences of normal behaviors and rejecting those of abnormal behaviors without requiring system information other than system calls. We implemented our algorithms and experimented with well-known data sets of system call sequences. The results of the experiments show the efficiency and effectiveness of our system.