A Survey on Automata Intrusion Detection System Zoya Shahcheraghi, Siavash Bahrami Faculty of Computer Science and Information Technology University Putra Malaysia 43400 UPM Serdang, Selangor, Malaysia zoya.shahcheraghi@gmail.com, siavash.bahrami@live.com Abstract— an intrusion detection system (IDS) is an intelligent system which aims to monitor network activity against unauthorized access, malicious attack, policy violations and misuse of the protected system. In this paper, we reviewed two automata models for each of the Intrusion detection techniques namely anomaly detection and signature detection. Two experiments had been conducted to test Adaptive Time-dependent Finite Automata (ATFA) model used for anomaly detection and Delayed Input DFA (D 2 FA) model which is used for signature detection. I. INTRODUCTION An intrusion detection system (IDS) is an intelligent system which aims to monitor all inbound and outbound network activity against unauthorized access, malicious attack, policy violations and misuse of the protected system. An IDS works based on the assumption that the behavior of an intruder is different from the way that any authorized users behaves and these activities are quantifiable. Intrusion detection techniques are broadly classified into four categories of anomaly detection, signature detection hybrid detection, and computational intelligence detection [1]. However in this paper, we consider the first two intrusion detection methods. In Anomaly detection, any abnormal behavior in models of subject behavior is considered as an attack. Moreover, it is able to detect unknown attacks since no prior knowledge about specific intrusion is required [2]. Signature detection matches the input traffic to a signature database that contains a list of the patterns of known malicious attacks and malwares which known as signature. In this paper, we reviewed automata approaches to IDS, and discussed on the models used for both anomaly detection and signature detection techniques. For anomaly detection, generally the models introduced in the articles are used for describing the program behaviours or adopt for intrusion recognition. For signature detection, generally the models introduces are used for regular expression matching, which use for pattern-matching process. Two experiments had been conducted to test Adaptive Time-dependent Finite Automata (ATFA) model used for anomaly detection and Delayed Input DFA (D 2 FA) model which is used for signature detection. II. ANOMALY-BASE IDS 1-Finite State Automaton (FSA) The first intrusion detection approach was proposed by Forrest et al. [3] in which anomalous sequences of system calls was used to model program behaviors using n-gram learning algorithm. Anomaly detection on system call sequences, since their work, became the most effective approach for novel intrusions detection. A typical way for learning sequences is to use an automata model namely Finite-State Automaton (FSA). Kosoresow and Hofmeyr [4] utilized a Finite-State Automaton model to further increase the accuracy of the n-gram learning algorithm. Even though they did not provide an algorithm to construct FSA but instead a manual procedure was employed. Michael and Ghosh [5] developed an algorithm which constructs FSA from strings but it treats only a finite length string. Therefore, their approach learned tree-structured automata. The main problem with learning tree-structured automata is that it is computationally simpler than a general Finite-State Automata which contains cycles. Warrender et al. [6] reviewed four different algorithms for learning program behaviors. The first of which was data- mining based algorithm proposed by Lee and Stolfo [7] and the second was Hidden Markov Model (HMM), which is a finite state model broadly used in speech recognition. They reported that HMMs produce a slightly more accuracy, but due to the length of training required, they are not considered suitable for intrusion detection. Sakar et al. [8] proposed an efficient technique for intrusion detection based on learning program behaviors. Their approach is to capture program behaviors based on sequences of system calls and represent these sequences using a finite-state automaton. Moreover, they built a full automatic and efficient compact FSA. Their FSA- technique, unlike many of the previous techniques, is able to capture both short term and long term temporal relationships between system calls, therefore it performs more accurate detection. The captured program behaviors will be used for training of the Intrusion Detection