Abstract
Anomaly intrusion detection is currently an active research topic in the field of network security. This paper proposes a novel method for detecting anomalous program behavior, which is applicable to host-based intrusion detection systems monitoring system call activities. The method employs data mining techniques to model the normal behavior of a privileged program, and extracts normal system call sequences according to their supports and confidences in the training data. At the detection stage, a fixed-length sequence pattern matching algorithm is utilized to perform the comparison of the current behavior and historic normal behavior, which is less computationally expensive than the variable-length pattern matching algorithm proposed by Hofmeyr et al. At the detection stage, the temporal correlation of the audit data is taken into account, and two alternative schemes could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency and detection accuracy, and is especially suitable for online detection. It has been applied to practical hosted-based intrusion detection systems, and has achieved high detection performance.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Tian X G, Duan M Y, Sun C L, Li W F. Intrusion detection based on system calls and homogeneous Markov chains. Journal of Systems Engineering and Electronics, 2008, 19(3): 598–605
Tian X G, Duan M Y, Li W F, Sun C L. Anomaly detection of user behavior based on shell commands and homogeneous Markov chains. Chinese Journal of Electronics, 2008, 17(2): 231–236
Mukkamala S, Sung A H, Abraham A. Intrusion detection using an ensemble of intelligent paradigms. Journal of Network and Computer Applications, 2005, 28(2): 167–182
Oh S H, Lee W S. A clustering-based anomaly intrusion detector for a host computer. IEICE Transactions on Information and Systems. E (Norwalk, Conn.), 2004, 87-D(8): 2086–2094
Yan Q, Xie W X, Yang B, Song G. An anomaly intrusion detection method based on HMM. Electronics Letters, 2002, 38(13): 663–664
Lane T, Brodley C E. An empirical study of two approaches to sequence learning for anomaly detection. Machine Learning, 2003, 51(1): 73–107
Lee W, Dong X. Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE Symposium on Security and Privacys, May 2001, Oakland, USA, IEEE Computer Society, 2001: 130–134
Hofmeyr S A, Forrest S, Somayaji A. Intrusion detection using sequences of system calls. Journal of Computer Security, 1999, 6(3): 151–180
Ye N, Emran S M, Chen Q, Vilbert S. Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Transactions on Computers, 2002, 51(7): 810–820
Verwoerd T, Hunt R. Intrusion detection techniques and approaches. Computer Communications, 2002, 25(15): 1356–1365
Warrender C, Forrest S, Pearlmutter B. Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, Berkely, USA, IEEE Computer Society, 1999: 133–145
Tian X G, Gao L Z, Sun C L, Duan M Y, Zhang E Y. A method for anomaly detection of user behaviors based on machine learning. The Journal of China Universities of Post and Telecommunications, 2006, 13(2): 61–65, 78
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Tian, X., Cheng, X., Duan, M. et al. Network intrusion detection based on system calls and data mining. Front. Comput. Sci. China 4, 522–528 (2010). https://doi.org/10.1007/s11704-010-0570-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11704-010-0570-9