Anomaly detection based-on the regularity of normal behaviors

作者:Pan, Feng*; Wang, Weinong
来源:1st International Symposium on Systems and Control in Aerospace and Astronautics, China,Heilongjiang,Harbin, 2006-01-19 to 2006-01-21.

摘要

This paper proposes an entropy-based method to measure the regularity of normal behaviors in anomaly detection. This measure is defined as the ratio of the entropy of normal behavior to the entropy of totally random behavior. Then we use one case study on Unix system call data to illustrate the accuracy of this method. We also advanced a new algorithm to detect intrusions using system calls. This algorithm use a data structure called weight tree, first we use normal system call trace build weight tree forest, then scan abnormal trace using these trees and get corresponding weight sequence. These weight sequences can tell us something abnormal has happened or not.