Finite Automata Models for Anomaly Detection

Abstract

A fundamental problem in intrusion detection is the fusion of dependent information sequences. In this paper, we consider the fusion of twosuch sequences, namely the sequences of system calls and thevalues of the instruction pointer. We introduce FAAD, a finite automatonrepresentation defined for the product alphabet of the two sequences wheredependencies are implicitly taken into account by a matchingprocedure. Our learning algorithm captures these dependencies through the application of certain parameterized functions. Through thechoice of thresholds and inner product structures, we areable to produce a compact representation of thenormal behavior of program.