Automatically generating valid behavior specifications for intrusion detection
First Claim
1. A method for automatically generating a valid behavior specification for use in an intrusion detection system for a computer system, comprising:
- receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls; and
automatically constructing the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls;
wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;
wherein selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule.
10 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system that automatically generates a valid behavior specification for use in an intrusion detection system for a computer system. The system operates by receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls. The system automatically constructs the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls. This set of rules is selected to cover all positive examples in the exemplary set of system calls without covering negative examples. Moreover, the process of selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule. In one embodiment of the present invention, the system additionally monitors an executing program. During this monitoring process, the system receives a system call generated by the executing program. The system next determines whether the system call is covered by a rule from within the valid behavior specification. If not, the system generates and indication that the system call is invalid.
126 Citations
24 Claims
-
1. A method for automatically generating a valid behavior specification for use in an intrusion detection system for a computer system, comprising:
-
receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls; and
automatically constructing the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls;
wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;
wherein selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for automatically generating a valid behavior specification for use in an intrusion detection system for a computer system, the method comprising:
-
receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls; and
automatically constructing the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls;
wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;
wherein selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24)
-
-
17. An apparatus that is configured to automatically generate a valid behavior specification for use in an intrusion detection system for a computer system, comprising:
-
a receiving mechanism that is configured to receive an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls; and
a specification construction mechanism that is configured to automatically construct the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls;
wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;
wherein the specification construction mechanism is configured to select a rule for the valid behavior specification by using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule.
-
Specification