PROBE: A process behavior-based host intrusion prevention system

Minjin Kwon; Kyoochang Jeong; Heejo Lee

doi:10.1007/978-3-540-79104-1_15

PROBE: A process behavior-based host intrusion prevention system

Minjin Kwon, Kyoochang Jeong, Heejo Lee

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Citations (Scopus)

Abstract

Attacks using vulnerabilities are considered nowadays a severe threat. Thus, a host needs a device that monitors system activities for malicious behaviors and blocks those activities to protect itself. In this paper, we introduce PROcess BEhavior (PROBE), which monitors processes running on a host to identify abnormal process behaviors. PROBE makes a process tree using only process creation relationship, and then it measures each edge weight to determine whether the invocation of each child process causes an abnormal behavior. PROBE has low processing overhead when compared with existing intrusion detections which use sequences of system calls. In the evaluation on a representative set of critical security vulnerabilities, PROBE shows desirable and practical intrusion prevention capabilities estimating that only 5% false-positive and 5% false-negative. Therefore, PROBE is a heuristic approach that can also detect unknown attacks, and it is not only light-weight but also accurate.

Original language	English
Title of host publication	Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings
Pages	203-217
Number of pages	15
DOIs	https://doi.org/10.1007/978-3-540-79104-1_15
Publication status	Published - 2008
Event	4th Information Security Practice and Experience Conference, ISPEC 2008 - Sydney, NSW, Australia Duration: 2008 Apr 21 → 2008 Apr 23

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	4991 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	4th Information Security Practice and Experience Conference, ISPEC 2008
Country/Territory	Australia
City	Sydney, NSW
Period	08/4/21 → 08/4/23

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-540-79104-1_15

Cite this

Kwon, M., Jeong, K., & Lee, H. (2008). PROBE: A process behavior-based host intrusion prevention system. In Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings (pp. 203-217). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4991 LNCS). https://doi.org/10.1007/978-3-540-79104-1_15

PROBE: A process behavior-based host intrusion prevention system. / Kwon, Minjin; Jeong, Kyoochang; Lee, Heejo.
Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings. 2008. p. 203-217 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4991 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kwon, M, Jeong, K & Lee, H 2008, PROBE: A process behavior-based host intrusion prevention system. in Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4991 LNCS, pp. 203-217, 4th Information Security Practice and Experience Conference, ISPEC 2008, Sydney, NSW, Australia, 08/4/21. https://doi.org/10.1007/978-3-540-79104-1_15

Kwon M, Jeong K, Lee H. PROBE: A process behavior-based host intrusion prevention system. In Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings. 2008. p. 203-217. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-540-79104-1_15

Kwon, Minjin ; Jeong, Kyoochang ; Lee, Heejo. / PROBE : A process behavior-based host intrusion prevention system. Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings. 2008. pp. 203-217 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{6e0b7c22c2b64ecf9226395483cae50c,

title = "PROBE: A process behavior-based host intrusion prevention system",

abstract = "Attacks using vulnerabilities are considered nowadays a severe threat. Thus, a host needs a device that monitors system activities for malicious behaviors and blocks those activities to protect itself. In this paper, we introduce PROcess BEhavior (PROBE), which monitors processes running on a host to identify abnormal process behaviors. PROBE makes a process tree using only process creation relationship, and then it measures each edge weight to determine whether the invocation of each child process causes an abnormal behavior. PROBE has low processing overhead when compared with existing intrusion detections which use sequences of system calls. In the evaluation on a representative set of critical security vulnerabilities, PROBE shows desirable and practical intrusion prevention capabilities estimating that only 5% false-positive and 5% false-negative. Therefore, PROBE is a heuristic approach that can also detect unknown attacks, and it is not only light-weight but also accurate.",

author = "Minjin Kwon and Kyoochang Jeong and Heejo Lee",

year = "2008",

doi = "10.1007/978-3-540-79104-1_15",

language = "English",

isbn = "3540791035",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "203--217",

booktitle = "Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings",

note = "4th Information Security Practice and Experience Conference, ISPEC 2008 ; Conference date: 21-04-2008 Through 23-04-2008",

}

TY - GEN

T1 - PROBE

T2 - 4th Information Security Practice and Experience Conference, ISPEC 2008

AU - Kwon, Minjin

AU - Jeong, Kyoochang

AU - Lee, Heejo

PY - 2008

Y1 - 2008

N2 - Attacks using vulnerabilities are considered nowadays a severe threat. Thus, a host needs a device that monitors system activities for malicious behaviors and blocks those activities to protect itself. In this paper, we introduce PROcess BEhavior (PROBE), which monitors processes running on a host to identify abnormal process behaviors. PROBE makes a process tree using only process creation relationship, and then it measures each edge weight to determine whether the invocation of each child process causes an abnormal behavior. PROBE has low processing overhead when compared with existing intrusion detections which use sequences of system calls. In the evaluation on a representative set of critical security vulnerabilities, PROBE shows desirable and practical intrusion prevention capabilities estimating that only 5% false-positive and 5% false-negative. Therefore, PROBE is a heuristic approach that can also detect unknown attacks, and it is not only light-weight but also accurate.

AB - Attacks using vulnerabilities are considered nowadays a severe threat. Thus, a host needs a device that monitors system activities for malicious behaviors and blocks those activities to protect itself. In this paper, we introduce PROcess BEhavior (PROBE), which monitors processes running on a host to identify abnormal process behaviors. PROBE makes a process tree using only process creation relationship, and then it measures each edge weight to determine whether the invocation of each child process causes an abnormal behavior. PROBE has low processing overhead when compared with existing intrusion detections which use sequences of system calls. In the evaluation on a representative set of critical security vulnerabilities, PROBE shows desirable and practical intrusion prevention capabilities estimating that only 5% false-positive and 5% false-negative. Therefore, PROBE is a heuristic approach that can also detect unknown attacks, and it is not only light-weight but also accurate.

UR - http://www.scopus.com/inward/record.url?scp=41549111606&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=41549111606&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-79104-1_15

DO - 10.1007/978-3-540-79104-1_15

M3 - Conference contribution

AN - SCOPUS:41549111606

SN - 3540791035

SN - 9783540791034

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 203

EP - 217

BT - Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings

Y2 - 21 April 2008 through 23 April 2008

ER -

PROBE: A process behavior-based host intrusion prevention system

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this