Anomaly-Based Intrusion Detection System Sharing Normal Behavior Databases among Different Machines

A number of studies have examined anomaly detection systems based on training of system call sequences in the normal execution of applications. However, many of these anomaly detection systems have low detection accuracy when the training is not sufficient. This occurs because the normal behavior data obtained through training on one machine cannot be used for detection on another machine. In this paper, we propose an anomaly detection system that shares normal behavior data between multiple machines. In the proposed system, normal behavior data obtained on each machine is accumulated in a server and the integrated data is distributed to each machine.This system improves the detection accuracy by integrating the data used for anomaly detection on each machine. The proposed system not only provides a straightforward algorithm for integration, but also two improved algorithms, namely, the majority algorithm and the similarity algorithm. The proposed system was implemented on the Linux operating system, and its behavior was compared experimentally with that of an existing system.