An Intrusion Detection Approach Based on System Call Sequences and Rules Extraction

Intrusion detection systems protect normal users and system resources from information security threats. Anomaly detection is an approach of intrusion detection that constructs models of normal behavior of users or systems and detects the behaviors that deviate from the model. Monitoring the sequences of system calls generated during the execution of privileged programs has been known to be an effective means of anomaly detection. In this paper, an approach for anolymal intrusion detection is presented and applied to monitor the abnormal behavior of processes. The approach is based on rough set theory and capable of extracting a set of rules with the minimum size to form a normal behavior model from the record of system call sequences generated during the normal execution of a process. It may detect the abnormal operating status of a process. The normal behavior model in terms of the system call sequences is defined. And the detection algorithm is given for the application of rough set theory in intrusion detection. The illustrative example shows that it is feasible and effective.