Hostname: page-component-cd9895bd7-dk4vv Total loading time: 0 Render date: 2024-12-27T09:00:17.177Z Has data issue: false hasContentIssue false
  • English
  • Français

String distances and intrusion detection:Bridging the gap between formal languages and computersecurity

Published online by Cambridge University Press:  20 July 2006

Danilo Bruschi  and
Giovanni Pighizzini
Danilo Bruschi
Affiliation:
Dipartimento di Informatica e Comunicazione, Università degli Studi di Milano, via Comelico, 39, 20135 Milano, Italy; [email protected],[email protected]
Giovanni Pighizzini
Affiliation:
Dipartimento di Informatica e Comunicazione, Università degli Studi di Milano, via Comelico, 39, 20135 Milano, Italy; [email protected],[email protected]
Get access

Abstract

In this paper we analyze some intrusion detection strategies proposed in the literature and we show that they represent the various facets of a well known formal languages problem: computing the distance between a string x and a language L. In particular, the main differences among the various approaches adopted for building intrusion detection systems can be reduced to the characteristics of the language L and to the notion of distance adopted. As a further contribution we will also show that from the computational point of view all these strategies are equivalent and they are amenable to efficient parallelization.

Keywords

Type
Research Article
Information
RAIRO - Theoretical Informatics and Applications , Volume 40 , Issue 2: Alberto Bertoni: Climbing summits , April 2006 , pp. 303 - 313
Copyright
© EDP Sciences, 2006

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Allender, E., Bruschi, D. and Pighizzini, G., The complexity of computing maximal word functions. Comput. Compl. 3 (1993) 368391. CrossRef
J.P. Anderson, Computer security threat monitoring and surveillance. Tech. Rep., James P. Anderson Company, Fort Washington (1980).
Brandenburg, F., On one-way auxiliary pushdown automata, in Proc. 3rd GI Conference. Lect. Notes Comput. Sci. 48 (1977) 133144.
Choffrut, C. and Pighizzini, G., Distances between languages and reflexivity of relations. Theoret. Comput. Sci. 286 (2002) 117138. CrossRef
Cook, S., Characterization of pushdown machines in terms of time–bounded computers. J. ACM 18 (1971) 418. CrossRef
Cook, S., A taxonomy of problems with fast parallel algorithms. Inform. Control 64 (1985) 222. CrossRef
D.E. Denning, An intrusion detection model. IEEE Trans. Software Engineering 13 (1987).
H. Feng, O. Kolesnikov, P. Fogla, W. Lee and W. Gong, Anomaly detection using call stack information, in Proc. IEEE Symposium on Security and Privacy. IEEE Press (2003).
S. Forrest, S. Hofmeyr, A. Somayaji and T. Longstaff, A sense of self for Unix processes, in Proc. IEEE Symposium on Security and Privacy. IEEE Press (1996).
Forrest, S., Hofmeyr, S., Somayaji, A. and Longstaff, T., Intrusion detection using sequences of system calls. J. Comput. Security 6 (1998) 151180.
A.K. Ghosh and A. Schwartzbard, A study in using neural networks for anomaly and misuse detection, in Proc. USENIX Security Symposium. USENIX Association (1999).
J. Hopcroft and J. Ullman, Introduction to automata theory, languages, and computations. Addison-Wesley, Reading, MA (1979).
R. Karp and V. Ramachandran, A survey of parallel algorithms for shared-memory machines, in Handbook of Theoretical Computer Science, Vol. A. North Holland (1990).
C. Marceau, Characterizing the behavior of a program using Multiple length N-grams, in Proc. New Security Paradimg Workshop. ACM Press (2000) 101–110.
Pighizzini, G., How Hard is Computing the Edit Distance? Inform. Comput. 165 (2001) 113. CrossRef
R. Sekar, M. Bendre, D. Dhurjati and P. Bollineni, A fast automaton-based method for detecting anomalous program behaviors, in Proc. IEEE Symposium on Security and Privacy. IEEE Press (2001).
Shiloach, Y. and Vishkin, U., Finding the maximum, merging and sorting in a parallel computation model. J. Algorithms 2 (1981) 88102. CrossRef
D. Wagner and D. Dean, Intrusion detection via static analisys, in Proc. IEEE Symposium on Security and Privacy (2001).
Venkateswaran, H., Properties that characterize LOGCFL. J. Comput. Syst. Sci. 43 (1991) 380404. CrossRef