US 6,983,380 B2 | ||
Automatically generating valid behavior specifications for intrusion detection | ||
Cheuk W. Ko, San Jose, Calif. (US) | ||
Assigned to Networks Associates Technology, Inc., Santa Clara, Calif. (US) | ||
Filed on Feb. 06, 2001, as Appl. No. 9/778,623. | ||
Prior Publication US 2002/0138755 A1, Sep. 26, 2002 | ||
Int. Cl. G06F 11/30 (2006.01); G06F 12/14 (2006.01); H04L 9/00 (2006.01); H04L 9/32 (2006.01) |
U.S. Cl. 713—201 | 21 Claims |
1. A method for automatically generating a valid behavior specification for use in an intrusion detection system for a computer
system, comprising:
receiving an exemplary set of system calls that includes positive examples of valid system calls, and possibly negative examples
of invalid system calls; and
automatically constructing the valid behavior specification from the exemplary set of system calls by selecting a set of rules
covering valid system calls;
wherein the set of rules covers all positive examples in the exemplary set of system calls without covering negative examples;
wherein selecting a rule for the valid behavior specification involves using an objective function that seeks to maximize
the number of positive examples covered by the rule while seeking to minimize the number of possible system calls covered
by the rule;
wherein the objective function additionally seeks to minimize the number of privileged system calls covered by the rule and
minimize a length of the rule; and
wherein the objective function includes: fh=eh−(gh+ph+ch), where:
gh=the generality of clause h;
ph=the privilege of the clause h;
ch=the length of clause h; and
eh=the explanation power.
|