Abstract
Attacks using vulnerabilities are considered nowadays a severe threat. Thus, a host needs a device that monitors system activities for malicious behaviors and blocks those activities to protect itself. In this paper, we introduce PROcess BEhavior (PROBE), which monitors processes running on a host to identify abnormal process behaviors. PROBE makes a process tree using only process creation relationship, and then it measures each edge weight to determine whether the invocation of each child process causes an abnormal behavior. PROBE has low processing overhead when compared with existing intrusion detections which use sequences of system calls. In the evaluation on a representative set of critical security vulnerabilities, PROBE shows desirable and practical intrusion prevention capabilities estimating that only 5% false-positive and 5% false-negative. Therefore, PROBE is a heuristic approach that can also detect unknown attacks, and it is not only light-weight but also accurate.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Sequeira, D.: Intrusion Prevention Systems: Security’s Silver Bullet? In: Business Communications Review (March 2003)
Forrest, S., Longstaff, T.A.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)
Forrest, S., Hofmeyr, S.A., Somayaji, A.: Computer Immunology. Communications of the ACM 40, 88–96 (1997)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)
Kim, H.A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th Usenix Security Symposium (August 2004)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: IEEE Security and Privacy Symposium (May 2005)
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based Spyware Detection. In: 15th Usenix Security Symposium (August 2006)
Cunningham, R.K., Lippmann, R.P., Webster, S.E.: Detecting and Displaying Novel Computer Attacks with Macroscope. IEEE Transactions on Systems, Man and Cybernetics (July 2001)
Russinovich, M.E., Solomon, D.A.: Microsoft Windows Internals. 4 edn., Microsoft Press (December 2004)
SANS: SANS Top20 Lists (November 2006), http://www.sans.org/top20/
Henry, P.A.: Day zero threat mitigation, Seminar: Fighting the Unknown Attack (May 2006), http://www.pisa.org.hk/event/fighting-unknown-attack.htm
Korba, J.: Windows NT Attacks for the Evaluation of Intrusion Detection Systems (June 2000)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kwon, M., Jeong, K., Lee, H. (2008). PROBE: A Process Behavior-Based Host Intrusion Prevention System. In: Chen, L., Mu, Y., Susilo, W. (eds) Information Security Practice and Experience. ISPEC 2008. Lecture Notes in Computer Science, vol 4991. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-79104-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-79104-1_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-79103-4
Online ISBN: 978-3-540-79104-1
eBook Packages: Computer ScienceComputer Science (R0)