1.Institute of Computing
Technology, Chinese Academy of Sciences, Beijing 100080, China; 2.Institute of Computing
Technology, Chinese Academy of Sciences, Beijing 100080, China;Institute of Computing
Technology, Beijing Jiaotong University, Beijing 100029, China; 3.Institute of Computing
Technology, Beijing Jiaotong University, Beijing 100029, China; 4.Zhengzhou Information
Science and Technology Institute, Zhengzhou 450004, China; 5.College of Computer
and Information Engineering, Beijing Technology and Business University,
Beijing 100037, China;
Abstract:Anomaly intrusion detection is currently an active research topic in the field of network security. This paper proposes a novel method for detecting anomalous program behavior, which is applicable to host-based intrusion detection systems monitoring system call activities. The method employs data mining techniques to model the normal behavior of a privileged program, and extracts normal system call sequences according to their supports and confidences in the training data. At the detection stage, a fixed-length sequence pattern matching algorithm is utilized to perform the comparison of the current behavior and historic normal behavior, which is less computationally expensive than the variable-length pattern matching algorithm proposed by Hofmeyr et al. At the detection stage, the temporal correlation of the audit data is taken into account, and two alternative schemes could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency and detection accuracy, and is especially suitable for online detection. It has been applied to practical hosted-based intrusion detection systems, and has achieved high detection performance.
. Network intrusion detection based on system calls
and data mining[J]. Front. Comput. Sci., 2010, 4(4): 522-528.
Xinguang TIAN, Xueqi CHENG, Miyi DUAN, Rui LIAO, Hong CHEN, Xiaojuan CHEN, . Network intrusion detection based on system calls
and data mining. Front. Comput. Sci., 2010, 4(4): 522-528.
Tian X G, Duan M Y, Sun C L, Li W F. Intrusion detection based on system calls and homogeneous Markovchains. Journal of SystemsEngineering and Electronics, 2008, 19(3): 598–605 doi: 10.1016/S1004-4132(08)60126-7
Tian X G, Duan M Y, Li W F, Sun C L. Anomaly detection of user behavior based on shell commands and homogeneousMarkov chains. Chinese Journal of Electronics, 2008, 17(2): 231–236
Mukkamala S, Sung A H, Abraham A. Intrusion detection using an ensembleof intelligent paradigms. Journal of Network and Computer Applications, 2005, 28(2): 167–182 doi: 10.1016/j.jnca.2004.01.003
Oh S H, Lee W S. A clustering-basedanomaly intrusion detector for a host computer. IEICE Transactions on Information and Systems. E (Norwalk, Conn.), 2004, 87-D(8): 2086–2094
Yan Q, Xie W X, Yang B, Song G. An anomaly intrusion detection method based on HMM. Electronics Letters, 2002, 38(13): 663–664 doi: 10.1049/el:20020467
Lane T, Brodley C E. An empirical study of two approaches to sequence learning for anomalydetection. Machine Learning, 2003, 51(1): 73–107 doi: 10.1023/A:1021830128811
Lee W, Dong X. Information-theoreticmeasures for anomaly detection. In: Proceedings of the 2001 IEEE Symposium on Security and Privacys, May 2001, Oakland,USA, IEEE Computer Society, 2001: 130–134
Hofmeyr S A, Forrest S, Somayaji A. Intrusion detection usingsequences of system calls. Journal of Computer Security, 1999, 6(3): 151–180
Ye N, Emran S M, Chen Q, Vilbert S. Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Transactions on Computers, 2002, 51(7): 810–820 doi: 10.1109/TC.2002.1017701
Verwoerd T, Hunt R. Intrusion detectiontechniques and approaches. Computer Communications, 2002, 25(15): 1356–1365 doi: 10.1016/S0140-3664(02)00037-3
Warrender C, Forrest S, Pearlmutter B. Detecting intrusions usingsystem calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, May1999, Berkely, USA, IEEE Computer Society, 1999: 133–145
Tian X G, Gao L Z, Sun C L, Duan M Y, Zhang E Y. A method for anomaly detectionof user behaviors based on machine learning. The Journal of China Universities of Post and Telecommunications, 2006, 13(2): 61–65,78
