A Pattern Matching Based Filter for Audit Reduction and Fast Detection of Potential Intrusions

Josué Kuri, Gonzalo Navarro, Ludovic Mé and Laurent Heye

We present a pattern matching approach to the problem of misuse detection in a computer system, which is formalized as the problem of multiple approximate pattern matching. This permits very fast searching of potential attacks. We study the probability of matching of the model and its relation to the filtering efficiency of potential attacks within large audit trails. Experimental results show that in a worst case, up to 85% of an audit trail may be filtered out when searching a set of attacks without probability of false negatives. Moreover, by filtering 98% of the audit trail, up to 50% of the attacks may be detected.