posted on 2006-01-01, 00:00authored byDebin Gao, Michael K Reiter, Dawn Song
The behavioral distance between two processes is a measure
of the deviation of their behaviors. Behavioral distance has been proposed
for detecting the compromise of a process, by computing its behavioral
distance from another process executed on the same input. Provided that
the two processes are diverse and so unlikely to fall prey to the same attacks, an increase in behavioral distance might indicate the compromise
of one of them. In this paper we propose a new approach to behavioral
distance calculation using a new type of Hidden Markov Model. We also
empirically evaluate the intrusion detection capability of our proposal
when used to measure the distance between the system-call behaviors of
diverse web servers. Our experiments show that it detects intrusions with
substantially greater accuracy and with performance overhead comparable to that of prior proposals.