Visualizing and identifying intrusion context from system calls trace

Anomaly-based intrusion detection (AID) techniques are useful for detecting novel intrusions without known signatures. However, AID techniques suffer from higher false alarm rate compared to signature-based intrusion detection techniques. In this paper, the concept of intrusion context identification is introduced to address the problem. The identification of the intrusion context can help to significantly enhance the detection rate and lower the false alarm rate of AID techniques. To evaluate the effectiveness of the concept, a simple but representative scheme for intrusion context identification is proposed, in which the anomalies in the intrusive datasets are visualized first, and then the intrusion contexts are identified from the visualized anomalies. The experimental results show that using the scheme, the intrusion contexts can be visualized and extracted from the audit trails correctly. In addition, as an application of the visualized anomalies, an implicit design drawback in t-stide is found after careful analysis. Finally, based on the identified intrusion context and the efficiency comparison, several findings are made which can offer useful insights and benefit future research on AID techniques.