US 6,983,380 B2
Automatically generating valid behavior specifications for intrusion detection
Cheuk W. Ko, San Jose, Calif. (US)
Assigned to Networks Associates Technology, Inc., Santa Clara, Calif. (US)
Filed on Feb. 06, 2001, as Appl. No. 9/778,623.
Prior Publication US 2002/0138755 A1, Sep. 26, 2002
Int. Cl. G06F 11/30 (2006.01); G06F 12/14 (2006.01); H04L 9/00 (2006.01); H04L 9/32 (2006.01)
U.S. Cl. 713—201 21 Claims
OG exemplary drawing
 
1. A method for automatically generating a valid behavior specification for use in an intrusion detection system for a computer system, comprising:
receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples of invalid system calls; and
automatically constructing the valid behavior specification from the exemplary set of system calls by selecting a set of rules covering valid system calls;
wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;
wherein selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered by the rule;
wherein the objective function additionally seeks to minimize the number of privileged system calls covered by the rule and minimize a length of the rule; and
wherein the objective function includes: fh=eh−(gh+ph+ch), where:
gh=the generality of clause h;
ph=the privilege of the clause h;
ch=the length of clause h; and
eh=the explanation power.