- ... program.1
- Our original paper on
using system calls for intrusion detection [16] used
a technique called ``lookahead pairs.'' pH uses the original
lookahead pairs algorithm as described here, except that it looks
behind instead of ahead. Later papers [20,38] report results based on recording full sequences.
We reverted to lookahead pairs because it is simple to implement and
extremely efficient.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... (LFC).2
- A somewhat different approach was
taken in Hofmeyr [20], where the measure of anomalous
behavior was based on Hamming distances between unknown sequences and
their closest match in the normal database.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
