Exploiting Frequent Episodes in Weighted Suffix Tree to Improve Intrusion Detection System Min-Feng Wang, Yen-Ching Wu, and Meng-Feng Tsai
Department of Computer Science and Information Engineering National Central University, Jhongli, Taiwan 32001
[email protected] Abstract In this paper we proposed a weighted suffix tree and find out it can improve the Intrusion Detection System (IDS). We firstly focus on the analysis of computer kernel system call, and discover some meaningful information from the unorganized system call sequences. We design a weighted suffix tree algorithm which derives from the concept of suffix tree algorithm for string matching, which then allows to mine the frequent episodes in order to get ordered frequent patterns. We therefore apply these rules to detect malicious attacks, and it shows our IDS still has a good ability to detect intrusion when we use fewer rules.
1. Introduction Intrusion Detection System (IDS) is one of key technologies to ensure dynamic system security. Intrusion detection is defined as “identifying unauthorized use, misuse, and abuse of computer systems by both inside and outside intruders” [5]. There are two basic approaches of intrusion detection: misuse intrusion detection [7, 10], and anomaly intrusion detection [18]. Generally speaking, an IDS does not include preventing intrusions from occurring. All IDSs must have three important functions: data collection, data classification, and data reporting. In general, there are several levels of data to be collected for IDS. Network data has a lot of features which can be provided to analyze intrusion detections. But the transmission of network data is always being encrypted for security; In addition, when source code of the application does not publish, the method of embedding monitoring application code become even more difficult to implement. Unlike network data, system calls of operating system do not have the problem of encryption or decryption, they operate more directly than network packages and are much
easier to analyze. We can collect the system calls simply by monitoring process. In addition, since the system calls will not be affected by the language of process being written, we can successfully avoid the publication problem of the source code. These advantages interest us to analyze system calls of operating system. Data mining generally refers to the process of extracting models from large stores of data [4]. However, researches of IDS which apply data mining techniques [13, 25] do not focus on time order between system calls. And the extracted rule set only contains frequent patterns of disorder system calls. For example, [25] used Apriori algorithm [1] to extract the rules. If it has a rule {01, 02, 03}, then the system calls 01, 02, and 03 will be bundled together all the time without time order identification. In this case, if system calls 01 followed by 02, followed by 03 is the normal order of system call of the process, but system calls 03 followed by 02, followed by 01 is an intrusive behavior, then, the method will not be able to detect the intrusion which applies the same system calls with different order. In order to improve the accuracy of detection, we will keep the order between system calls by using our proposed weighted suffix tree algorithm, and exploit frequent episode mining algorithm to extract significant rules from ordered sequences.
2. Related work Lee et al. introduced data mining techniques into IDS [11, 14, 15, 16, 17, 21]. They hope to exploit the ability of handling huge amount of data to improve the performance of IDS. [13] used the mining algorithm based on FP-tree to extract rule set of normal behavior. [8] proposed a “bag of system calls” to represent IDS. [12] introduced several data mining techniques to enhance IDS. [26] analyzed several anomaly IDSs
which used system calls. [2] involved with several main aspects and technologies of IDS.
2.1. Frequent episodes mining The frequent episodes algorithm described in [20] is an extension of association rules. A frequent episode is a set of items that occur frequently within a time window of a specified length. They emphasize that the items in a serial episode must occur in partial order in time. An example is home, research→theory [sup = 5%, conf = 20%, time = 30s], which means that 5% of the total time windows (30s) of all transactions under analysis, the visiting order starts with home page, and followed by the research guide and the theory page; and 20% of the users who visit the home page and the research guide in time order will visit the theory page subsequently.
2.2. Suffix tree The concept of suffix tree was first introduced as a position tree by Weiner [23]. The construction was greatly simplified by McCreight [19], and also by Ukkonen [22]. Ukkonen provided the first linear-time online-construction of suffix trees. A suffix tree is a tree-like data structure representing all suffixes of a string. The characteristics of suffix tree can support to keep the order between system calls that are recorded in the sequence, and to find all substrings of the sequences.
3. Problem definition A set of system calls which are arranged in time order is called system call sequence. Each trace is the list of system calls issued by a single process from the beginning to the end of execution. A daemon process is used to denote a background system process on UNIX which runs independently of any user who is logged-in. Trace lengths vary widely because of differences in program complexity because some traces are collected daemon processes and others are not. The University of New Mexico (UNM) provides a number of system call data sets. In UNM system call traces, each trace is an output of one program. Most traces involve only one process and usually one sequence is created for each trace. However, sometimes one trace has multiple processes. In such cases, we have extracted one sequence per process in
the original trace. Thus, each system call trace can yield multiple sequences of system calls if the trace has multiple processes. Data sets have been collected from those programs that run with privilege. Monitoring privileged programs has several advantages over monitoring user profiles [9] because the misuse of those programs has the greatest potential for harm to the system. Root processes are more dangerous than user processes because they have access to more parts of the computer system. They have a limited range of behavior, and their behavior is relatively stable over time [3]. Some of the normal traces are “synthetic” and some are “live”. Synthetic traces are collected in production environments by running a prepared script and the program options are chosen solely for the purpose of exercising the program without any real user’s requests, whereas live traces are collected from the program during normal usage of a production computer system. Without loss of generality, we assume that system call sequence is mapped to a set of contiguous integers. Each system call number is an instruction and is recorded into a mapping file. Therefore, we can understand the original instruction by finding the integer from the mapping file. Here we should emphasize that the same operating system with different version will have different mapping file of system calls. It should be noted that the experiments must work under the same version of operating system.
4. Methodology 4.1. Architecture Before introducing our methodology, we’d like to bring out the architecture of our IDS. Because some traces might have multiple processes. The traces must be sent to preprocess so as to gain the system call sequences which contain one process per sequence. For the trace preprocessor in Figure 1, inputs of the program are source data sets and output system call sequences. After preprocessing the traces, the sequences with different length of normal usage are sent to frequent pattern generator. Frequent pattern generator constructs weighted suffix tree for further computation. Rule extractor will extract all rules that satisfy the conditions set by users from frequent pattern generator and collect the rules into rule set pool for further using.
Table 1. The algorithm for weighted suffix tree
Fig. 1. Architecture of proposed system When we collect enough information into rule set pool, our decision engine will exploit rules that are provided from rule set pool to analyze system calls of the monitoring program. The decision engine will report to user interface if an intrusion is detected. Hence these reports will help human experts to solve the problems easier than before.
4.2. Weighted suffix tree A suffix tree can keep the order between system calls that are recorded in the sequence. We can also extract all substrings of the sequence from its suffix tree. Weighting the suffix tree will help us discover the occurring frequency of the patterns. These statistics can then be used to calculate frequent episodes later. There is only one sequence presented in the original suffix tree. Now we change the presentation of suffix tree and our weighted suffix tree is consisted of all sequences. Table 1 is the algorithm pseudo-code for weighted suffix tree. We assume that there are two sequences S1 = {03, 01, 03, 01, 15} and S2 = {01, 01, 03, 01} in the data set D = {S1, S2}. The weighted suffix tree after processing sequence S1 and S2 is shown in Figure 2. We record the traversed number of each node when we built the tree. For example, the rightmost node of weighted suffix tree in Figure 2 is noted as 15(1). 15 means the system number of that node, whereas 1 means the traversed frequency of that node. We extend the representation of suffix tree to deal with multiple input sequences. We note that two or more input sequences may have common suffixes, so the nodes of common suffixes will increase the count number of weight. Further, we can exploit the information of nodes to help us improving intrusion detection technique.
Fig. 2. The weighted suffix tree
4.3. Frequent episodes mining Since the processes we monitored are sometimes used intermittently, we change the setting of fixed time window in [20] into fixed length of system call sequence to suit the feature of our experiments. As we mentioned before, the weighted suffix tree algorithm has processed over data set D which contains two sequences S1, S2. Without loss of generality, we assume that we want to collect the rule set of a fixed sequence of length 3. Hence we can discover a rule set of normal usage which has the fixed sequence length of 3 (see Table 2). There are four different sequences of length 3 collected from the weighted suffix tree. The first column in Table 2 shows all of the sequences which are obtained from the weighted suffix tree, whereas the second column shows the number of the sequences which stands for the number of appearances of the sequence in the whole data set. We can easily obtain the number of each sequence by reading the
Table 2. The sequence of length 3
Table 4. Two parts of IDS
Table 3. Frequent episodes mining algorithm
Fig. 3. Number of rules with different length
weighted counts of the last node of the sequence. Then we can calculate the frequent episodes of each rule further. Here we have a frequent episode rule example is 03, 01 → 03 [sup = 20%, conf = 50%, length = 3], which means 20% of total sequences (of length 3) under analysis system call 03, 01, 03 are used in time order, and 50% of the cases of which system calls 03, 01 have been used in order, system call 03 will be used subsequently. Below we show the definition of support and confidence used in our frequent episodes mining: sup =
the weighted count of the last node of the sequence the sum of the weighted count of the last node of all sequences
conf =
the weighted count of the last node of the sequence the sum of the weighted count of the last node and its all siblings
The value of confidence is a conditional probability. It means the probability that the consequent will occur, given that the antecedents have occurred. We found that we can summarize the weighted counts of all the rules with the same antecedent to be denominator and the weighted count of the sequence be the numerator. We discovered that the rules with the same antecedent have the same prefix in the weighted suffix tree (see Figure 2). Hence, the last nodes of these rules are siblings to each other. We can easily calculate the sum of the weighted count of the last node and its all siblings to gain the value of denominator of confidence. We can exploit the mining algorithm described in Table 3 to repeatedly extract the rule set of different length when the weighted suffix tree has been constructed. In the past, those who focused on analysis of intrusion detection using system call sequences had
Fig. 4. Number of rules with different support threshold a lot trouble with how to choose the most appropriate sequence length. They chose the length from experiment results empirically. When they need to collect another rule set with another sequence length, they must read whole traces again [6, 14]. Once the weighted suffix tree has been constructed, our mining algorithm can overcome the drawback. For example, suppose it is the first time we collect the rule set of length 7. After the operating, nodes of level 7 in the whole tree are labeled as traversed. If we want to collect the rule set of length 11 later, we can use the same tree mining again.
4.4. Intrusion detection model We decide to use t-stide method that is proposed by C. Warrender et al. [24] verifies whether intrusive events occur or not. The “t” in “t-stide” represents the addition of this threshold on sequence frequencies. They set a threshold to prune rare sequences which are regarded as abnormal. We choose support and
Table 5. The rules of length 5
confidence values of frequent episodes to be the threshold condition in t-stide method, instead of the occurring frequencies of the sequences that are previously used in t-stide method. We collect sequences of fixed length k that exceed the threshold and store those sequences together for further using. The traces are compared with the rule set by the decision engine. The decision engine will report to the user interface an alarm when mismatch rate exceeds the threshold.
5. Experiments In this chapter, we will discuss the performance of execution time between the original t-stide method and our method first. Then we will use data sets of synthetic sendmail [3] in our experiments to show the results of the experiments. The experimental results obtained from [14] let us know that a set of specific rules for normal sequences can be used to detect any known and unknown intrusions. Whereas having only the rules for abnormal sequences only provides the capability to detect known intrusions we used 80% of normal traces to construct weighted suffix tree and generated rule sets of different lengths from the weighted suffix tree. The rest 20% of normal traces were used for testing. Both normal and abnormal traces are used for testing. There are three traces of the sscp (sunsendmail) attacks, two traces of the decode attacks, and five traces of the error condition- forwarding loops attacks used for testing too.
5.1. Comparison of execution during rules checking Our IDS can be divided into two parts from data collection, construction of a weighted suffix tree, generation of rule sets, and operation of the decision engine. As we can observe from Table 4, the data collection, construction of the weighted suffix tree, and the generation of rule sets are completed off-line.
Table 6. The rules of length 7
Table 7. The rules of length 9
Whereas the decision engine must response as soon as possible if it detects any deviation of the programs so as to improve the whole security of computer systems. Generally speaking, an IDS wishes to have all possible normal usages of a program to improve the ability of identifying normal and abnormal behaviors. Unfortunately, the increment of rules will affect the performance of the decision engine. We assume that the length of the trace is L, the size of sliding window is w, and there are n rules, L>>w. The window sliding needs to check rule set again in the t-stide method each time. The time complexity of t-stide in worst is O((L-w+1)*n) = O(L*n). Figure 3 shows the original number of rules in the rule set with the length 5 to 11. Figure 4 shows the number of rules under different support threshold. We compare the rule sets of length 5, 7, and 9. We discover that the support threshold becomes higher and the number of rules becomes fewer. Hence the execution time of IDS will be improved by exploiting a smaller rule set. Our IDS can response much more quickly than before when an intrusion has been detected.
5.2. Experimental results Now, we are interested in the accuracy of intrusion detection. Table 5, 6, 7 show that the experimental results using the rules of length 5, 7, and 9. The first row is the experimental result running with the method proposed in [24]. The column of support means the support threshold of frequent episodes. The column of
confidence means the confidence threshold of frequent episodes. The column of normal abn% means the mismatch rate of normal traces. We also record the mismatch rate of the sscp (sunsendmail) attack traces in the column of sscp abn%, the mismatch rate of the decode attack traces in the column of decode abn%, and the mismatch rate of the error conditionforwarding loops attack traces in the column of fwd abn%. We compare the results of the different support and confidence thresholds. The column of gap records the minimal abn% of attack traces minus abn% of normal traces. We can see from Table 5. There are 660 rules when we use the method of [24]. The mismatch rate of normal traces is 3.3%. The mismatch rate of sscp attack is 16.5%. The mismatch rate of decode attack is 5.9%. The mismatch rate of error conditionforwarding loops attack is 13.9%. Hence the mismatch rate gap between normal traces and abnormal traces is 5.9% - 3.3% = 2.6%. After we use different support and confidence thresholds, we can observe that the number of rules is between 546 ~ 256. Hence the operation of decision engine will be faster than before. Because we use fewer rules, some sequences in the trace will be treated as mismatch. Hence the mismatch rate of normal traces will be higher than the method of [24]. On the other hand, the mismatch rate of abnormal traces will also be higher than the method of [24]. The gaps between normal traces and abnormal traces are 10.5%, 12.7%, 17.6%, 17.2%, 18.7%, and 16.2%, respectively. We can discover that the gap is larger than original method, which help us to prove that the decision engine can explicitly recognize which trace is normal or abnormal. We can see from Table 6 which uses the rules of length 7, and Table 7 using the rules of length 9. The gap between normal traces and abnormal traces are still large enough after pruning some rules.
6. Conclusions An IDS needs to process a lot of data sets to carry on analysis. This characteristic allows the application of data mining to become an important component in an IDS. The algorithms which were proposed before can simply find out disorder frequent patterns. It means that we cannot know the order of the system calls. This characteristic is very fallible. For example, an intrusion can use the same frequent patterns but different order to escape the check of IDS. Weighted suffix tree proposed by us can solve this problem easily. Because the system calls between the rules extracted from weighted suffix tree conserve the order
of them, therefore we can fix the fallible drawback of the existing algorithms and improve the performance of the IDS. For different programs, the fittest length of the rules will also be different, which forces an IDS to repeatedly execute experiments with different lengths of rule sets to find out which rule set is the most suitable one. According to the method proposed by [3, 6, 24], constructing a new rule set of another length needs to load the whole traces again. However, with weighted suffix tree, our method needs to load whole trace only one time for constructing, and this tree can quickly extract lots of rule sets. These advantages of weighted suffix tree help to enhance the timeefficiency of the IDS. Frequent episodes mining can identify the rules whose order between system calls is conserved. After setting different support and confidence thresholds, we can prune those rare rules. And we can use fewer rules to speed up the operation of the decision engine. The accuracy is the most important issue of an IDS. The experimental results also show that the gaps between the mismatch rate of normal traces and the mismatch rate of abnormal traces are large after pruning rare rules by Frequent Episodes Mining. It means that IDS can report or alarm to the users or experts accurately.
7. Acknowledgment This work was sponsored by National Central University Project of Promoting Academic Excellence and Developing World Class Research Centers – Applied Informatics and Creative Contents: ServiceOriented Information Platform.
8. References [1] R. Agrawal, and A. Swami, “Fast Algorithms for Mining Association Rules,” Proc. of the 20th Int’l Conf. on Very Large Data Bases, pp. 487-499, Santiago, Chile, 1994. [2] Y. Bai, and H. Kobayashi, “Intrusion Detection Systems: Technology and Development,” Proc. of the 17th IEEE Int’l Conf. on Advanced Information Networking and Applications, pp. 710-715, 2003. [3] S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, “A Sense of Self for Unix Processes,” Proc. of the 1996 IEEE Symp. on Security and Privacy, pp. 120-128, Los Alamitos, 1996. [4] U. Fayyad, G. Piatetsky-Shapiro, and P. Smyth, “The KDD Process of Eextracting Uuseful Knowledge from Volumes of Data,” Communication of the ACM, vol. 39, no. 11, pp. 27-34, 1996.
[5] S. Hossain, S. M. Bridges, and R. B. Vaughn, “Adaptive Intrusion Detection with Data Mining,” Proc. of IEEE Int’l Conf. on Systems, Man and Cybernetics, pp. 3097-3103, 2003. [6] S. A. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion Detection Using Sequences of System Calls,” J. Computer Security, vol. 6, pp. 151-180, 1998. [7] K. Ilgun, R. A. Kemmerer, and P. A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach,” IEEE Trans. on Software Engineering, vol. 21, no. 3, pp. 181-199, 1995. [8] D-K Kang, D. Fuller, and V. Honavar, ”Learning Classifiers for Misuse Detection Using a Bag of System Calls Representation,” Proc. of IEEE Int’l Conf. on Intelligence and Security Informatics, pp. 511-516, Atlanta, GA, USA, 2005. [9] C. Ko, G. Fink, and K. Levitt, “Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring,” Proc. of the 10th Annual Computer Security Applications Conference, pp. 134-144, Dec. 1994. [10] S. Kumar, and E. H. Spafford, “A Software Architecture to Support Misuse Intrusion Detection,” Proc. of the 18th National Information Security Conference, pp. 194-204, 1995. [11] W. Lee, “A Data Mining Framework for Constructing Features and Model for Intrusion Detection System,” Ph.D Dissertations, Columbia University, New York, USA 1999. [12] C.-T. Lu, A. P. Boedihardjo, and P. Manalwar, “Exploiting Efficient Data Mining Techniques to Enhance Intrusion Detection Systems,” Proc. of the IEEE Int’l Conf. on Information Reuse and Integration, pp. 512-517, Las Vegas, Nevada, 2005. [13] T.-R. Li, and W.-M. Pan, “Intrusion Detection System Based on New Association Rule Mining Model,” Proc. of IEEE Int’l Conf. on Granular Computing, pp. 512-515, Beijing, China, 2005. [14] W. Lee, and S. J. Stolfo, “Data Mining Approaches for Intrusion Detection,” Proc. of the 7th USENIX Security Symposium, San Antonio, Texas, 1998. [15] W. Lee, and S. J. Stolfo, “A Framework for Constructing Features and Models for Intrusion Detection Systems,” ACM Trans. on Information and System Security, vol. 3, no. 4, pp. 227-261, 2000. [16] W. Lee, S. J. Stolfo, and P. K. Chan, “Learning Patterns from Unix Process Execution Traces for Intrusion Detection,” Proc. of the AAAI97 Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 50-56, 1997.
[17] W. Lee, S. J. Stolfo, and K. W. Mok, “A Data Mining Framework for Building Intrusion Detection Model,” Proc. of the IEEE Symp. on Security and Privacy, pp. 120-132, Oakland, CA, May 1999. [18] T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, P. Neumann, H. Javitz, A. Valdes, and T. Garvey, ”A RealTime Intrusion Detection Expert System (IDES) –Final Technical Report,” Technical Report, Computer Science Laboratory, SRI International, Menlo Park, California, 1992. [19] E. M. McCreight, “A Space-Economical Suffix Tree Construction Algorithm,” J. ACM, vol. 23, no. 2, pp. 262272, 1976. [20] H. Mannila, H. Toivonen, and A. I. Verkamo, “Discovering Frequent Episodes in Sequences,” Proc. of the 1st Int’l Conf. on Knowledge Discovery in Databases and Data Mining, pp. 210-215, Montreal, Canada, 1995. [21] S. J. Stolfo, W. Lee, P. K. Chan, W. Fan, and E. Eskin, “Special Section on Data Mining for Intrusion Detection and Threat Analysis: Data Mining-Based Intrusion Detectors: An Overview of the Columbia IDS Project,” ACM SIGMOD Record, vol. 30, no. 4, pp. 5-14, Dec. 2001. [22] E. Ukkonen, “On-Line Construction of Suffix Trees,” Algorithmica, vol. 14, no. 3, pp. 249-260, 1995. [23] P. Weiner, “Linear Pattern Matching Algorithm,” Proc. of the 14th IEEE Symp. on Switching and Automata Theory, pp 1-11, 1973. [24] C. Warrender, S. Forrest, and B. Pearlmutter, “Detecting Intrusions Using System Calls: Alternative Data Models,” Proc. of the IEEE Symp. on Security and Privacy, pp. 133145, 1999. [25] M.-J. Xu, and G. Gu, “Method and Usage of Mining Association Rules in System Call Serial,” Computer Systems & Applications, no. 4, pp. 26-28, 2004. [26] M. M. Yasin, and A. A. Awan, ”A Study of Host-based IDS Using System Calls,” Proc. of the IEEE Int’l Conf. on Networking and Communication, pp. 36-41, 2004.
