TY - GEN
T1 - PROBE
T2 - 4th Information Security Practice and Experience Conference, ISPEC 2008
AU - Kwon, Minjin
AU - Jeong, Kyoochang
AU - Lee, Heejo
PY - 2008
Y1 - 2008
N2 - Attacks using vulnerabilities are considered nowadays a severe threat. Thus, a host needs a device that monitors system activities for malicious behaviors and blocks those activities to protect itself. In this paper, we introduce PROcess BEhavior (PROBE), which monitors processes running on a host to identify abnormal process behaviors. PROBE makes a process tree using only process creation relationship, and then it measures each edge weight to determine whether the invocation of each child process causes an abnormal behavior. PROBE has low processing overhead when compared with existing intrusion detections which use sequences of system calls. In the evaluation on a representative set of critical security vulnerabilities, PROBE shows desirable and practical intrusion prevention capabilities estimating that only 5% false-positive and 5% false-negative. Therefore, PROBE is a heuristic approach that can also detect unknown attacks, and it is not only light-weight but also accurate.
AB - Attacks using vulnerabilities are considered nowadays a severe threat. Thus, a host needs a device that monitors system activities for malicious behaviors and blocks those activities to protect itself. In this paper, we introduce PROcess BEhavior (PROBE), which monitors processes running on a host to identify abnormal process behaviors. PROBE makes a process tree using only process creation relationship, and then it measures each edge weight to determine whether the invocation of each child process causes an abnormal behavior. PROBE has low processing overhead when compared with existing intrusion detections which use sequences of system calls. In the evaluation on a representative set of critical security vulnerabilities, PROBE shows desirable and practical intrusion prevention capabilities estimating that only 5% false-positive and 5% false-negative. Therefore, PROBE is a heuristic approach that can also detect unknown attacks, and it is not only light-weight but also accurate.
UR - http://www.scopus.com/inward/record.url?scp=41549111606&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=41549111606&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-79104-1_15
DO - 10.1007/978-3-540-79104-1_15
M3 - Conference contribution
AN - SCOPUS:41549111606
SN - 3540791035
SN - 9783540791034
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 203
EP - 217
BT - Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings
Y2 - 21 April 2008 through 23 April 2008
ER -