Title :
A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns
Author :
Creech, Gideon ; Jiankun Hu
Author_Institution :
Cyber Security Res. Group, Univ. of New South Wales, Canberra, ACT, Australia
Abstract :
Host-based anomaly intrusion detection system design is very challenging due to the notoriously high false alarm rate. This paper introduces a new host-based anomaly intrusion detection methodology using discontiguous system call patterns, in an attempt to increase detection rates whilst reducing false alarm rates. The key concept is to apply a semantic structure to kernel level system calls in order to reflect intrinsic activities hidden in high-level programming languages, which can help understand program anomaly behaviour. Excellent results were demonstrated using a variety of decision engines, evaluating the KDD98 and UNM data sets, and a new, modern data set. The ADFA Linux data set was created as part of this research using a modern operating system and contemporary hacking methods, and is now publicly available. Furthermore, the new semantic method possesses an inherent resilience to mimicry attacks, and demonstrated a high level of portability between different operating system versions.
Keywords :
high level languages; operating systems (computers); security of data; KDD98 data sets; UNM data sets; contemporary hacking methods; contiguous system call patterns; discontiguous system call patterns; false alarm rates; high-level programming languages; host-based anomaly intrusion detection system design; modern operating system; program anomaly behaviour; semantic structure; Clocks; Complexity theory; Computer architecture; Cryptography; Gaussian processes; Logic gates; Registers; ADFA-LD; Intrusion detection; anomaly detection; computer security; host-based IDS; system calls;
Journal_Title :
Computers, IEEE Transactions on
