A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns
Title | A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns |
Publication Type | Journal Article |
Year of Publication | 2014 |
Authors | Creech, G., Jiankun Hu |
Journal | Computers, IEEE Transactions on |
Volume | 63 |
Pagination | 807-819 |
Date Published | April |
ISSN | 0018-9340 |
Keywords | ADFA-LD, anomaly detection, Clocks, Complexity theory, Computer architecture, computer security, contemporary hacking methods, contiguous system call patterns, cryptography, discontiguous system call patterns, false alarm rates, Gaussian processes, high level languages, high-level programming languages, host-based anomaly intrusion detection system design, host-based IDS, Intrusion detection, KDD98 data sets, Logic gates, modern operating system, operating systems (computers), program anomaly behaviour, Registers, security of data, semantic structure, system calls, UNM data sets |
Abstract | Host-based anomaly intrusion detection system design is very challenging due to the notoriously high false alarm rate. This paper introduces a new host-based anomaly intrusion detection methodology using discontiguous system call patterns, in an attempt to increase detection rates whilst reducing false alarm rates. The key concept is to apply a semantic structure to kernel level system calls in order to reflect intrinsic activities hidden in high-level programming languages, which can help understand program anomaly behaviour. Excellent results were demonstrated using a variety of decision engines, evaluating the KDD98 and UNM data sets, and a new, modern data set. The ADFA Linux data set was created as part of this research using a modern operating system and contemporary hacking methods, and is now publicly available. Furthermore, the new semantic method possesses an inherent resilience to mimicry attacks, and demonstrated a high level of portability between different operating system versions. |
DOI | 10.1109/TC.2013.13 |
Citation Key | 6419701 |
- high-level programming languages
- UNM data sets
- system calls
- semantic structure
- security of data
- Registers
- program anomaly behaviour
- operating systems (computers)
- modern operating system
- Logic gates
- KDD98 data sets
- Intrusion Detection
- host-based IDS
- host-based anomaly intrusion detection system design
- ADFA-LD
- high level languages
- Gaussian processes
- false alarm rates
- discontiguous system call patterns
- Cryptography
- contiguous system call patterns
- contemporary hacking methods
- computer security
- computer architecture
- Complexity theory
- Clocks
- Anomaly Detection