Information Technology Reference
In-Depth Information
Fig. 13. Finite automaton constructed from Fig. 12
All of the 47 normal sequences were accepted by the finite automaton, and all of
the 34 abnormal sequences were rejected by the automaton, showing 0% false posi-
tive rate and 100% detection rate. Forrest's N-grams method also showed perfect false
positive rate and detection rate.
4.2
lpr Program
The procedures for constructing the finite automaton modeling the normal behavior of
lpr program are the same as in the case for lpr program described in the previous
section 4.1.
There are two kinds of lpr data, one from MIT and the other from University of
New Mexico [18]. There are 2797 normal sequences in MIT data and 1232 normal
sequences in UNM data. There are 1001 abnormal sequences in both data set. We
used 700 normal sequences for constructing the finite automaton modeling the normal
behavior, and the rest of the sequences for testing the performance of the automaton.
Table 1 shows the result of tests using our finite automaton and that of N-gram ap-
proach [6]. Both approaches show perfect detection rate, but ours shows a bit better
performance than N-gram approach in false positive rate. We believe that analysis of
whole sequences has a slight edge over analysis of short sequences.
Table 1. Results of modeling and tests on lpr program
number of
sequences used for
normal
behavior modeling
test by finite automata
test by N-gram method
detection
false positive
detection
false positive
MIT lpr
700
1001/1001
5/2097
1001/1001
28/2097
UNM lpr
700
1001/1001
3/532
1001/1001
4/532
Search WWH ::




Custom Search