Construction of Finite Automata for Intrusion Detection from System Call Sequences by Genetic Algorithms

• Published in: Advances in Knowledge Discovery and Data Mining pp. 594 - 602
• Main Authors: Wee, Kyubum, Kim, Sinjae
• Format: Book Chapter Conference Proceeding
• Language: English
• Published: Berlin, Heidelberg Springer Berlin Heidelberg 2006; Springer
• Series: Lecture Notes in Computer Science
• Subjects: Anomaly Detection; Applied sciences; Computer science; control theory; systems; Data processing. List processing. Character string processing; Exact sciences and technology; IEEE Symposium; Information systems. Data bases; Intrusion Detection; Intrusion Detection System; Memory and file management (including protection and security); Memory organisation. Data processing; Software; System Call; Data analysis; Information system; Program execution; Finite automaton; Intruder detector; Data mining; Behavior model; Modeling; Genetic algorithm; Behavioral analysis; Knowledge discovery; Anomaly; Computer security; User behavior; Intrusion detection systems
• ISBN: 9783540332060; 3540332065
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/11731139_69

Intrusion detection systems protect normal users and system resources from information security threats. Anomaly detection is an approach of intrusion detection that constructs models of normal behavior of users or systems and detects the behaviors that deviate from the model. Monitoring the sequences of system calls generated during the execution of privileged programs has been known to be an effective means of anomaly detection. Finite automata have been recognized as an appropriate device to model normal behaviors of system call sequences. However, there have been several technical difficulties in constructing finite automata from sequences of system calls. We present our study on how to construct finite automata from system call sequences using genetic algorithms. The resulting system is shown to be very effective in detecting intrusions through various experiments.