Motif-Oriented Representation of Sequences for a Host-Based Intrusion Detection System

Audit sequences have been used effectively to study process behaviors and build host-based intrusion detection models. Most sequencebased techniques make use of a pre-defined window size for scanning the sequences to model process behavior. In this paper, we propose two methods for extracting variable length patterns from audit sequences that avoid the necessity of such a pre-determined parameter. We also present a technique for abstract representation of the sequences, based on the empirically determined variable length patterns within the audit sequence, and explore the usage of such representation for detecting anomalies in sequences. Our methodology for anomaly detection takes two factors into account: the presence of individual malicious motifs, and the spatial relationships between the motifs that are present in a sequence. Thus, our method subsumes most of the past works, which primarily based on only the first factor. The preliminary experimental observations appear to be quite encouraging.