Sequence-based Techniques

The sequence-based intrusion detection approach by Forrest [3] calculates an anomaly value for a program execution based on the number of sequences the program generates that are missed in a pre-computed database of sequences. The technique has been found to be effective under offline evaluation using audit data collected from different environments. It requires properly-constructed norma sensitive to program versions and configuration, and can in some cases require significant processing resources to perform anomaly calculation in real time. We have structured Seq_id, our sequence-based ID wrapper, to address these issues. Seq_id runs in two modes: record mode and detect mode. In record mode, Seq_id automatically generates a normative sequence database for each program executed. Using Seq_id, we have generated a per-program database for every program executed on our test machines. To increase efficiency and simplicity, we have slightly modified the algorithm described in [2] to merge some sequences, which would remain unique in the original technique. Initial comparison tests between the two algorithms indicate that the detection accuracy is similar. In detect mode, Seq_id decides if each observed system call completes a sequence stored in the program's database of normal behavior. Seq_id measures the magnitude of each deviation, and reports those of sufficient magnitude.