Intrusion detection using variable-length audit trail patterns

Andreas Wespi, Marc Dacier, Hervé Debar

Research output: Chapter in Book/Report/Conference proceedingConference contribution

115 Scopus citations


Audit trail patterns generated on behalf of a Unix process canb e used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.
Original languageEnglish (US)
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
PublisherSpringer Verlag
Number of pages20
ISBN (Print)9783540410850
StatePublished - Jan 1 2000
Externally publishedYes

Bibliographical note

Generated from Scopus record by KAUST IRTS on 2022-09-12


Dive into the research topics of 'Intrusion detection using variable-length audit trail patterns'. Together they form a unique fingerprint.

Cite this