Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You and Your Team.

Learn More →

Frequency‐ and ordering‐based similarity measure for host‐based intrusion detection

Frequency‐ and ordering‐based similarity measure for host‐based intrusion detection This paper discusses a new similarity measure for the anomaly‐based intrusion detection scheme using sequences of system calls. With the increasing frequency of new attacks, it is getting difficult to update the signatures database for misuse‐based intrusion detection system (IDS). While anomaly‐based IDS has a very important role to play, the high rate of false positives remains a cause for concern. Defines a similarity measure that considers the number of similar system calls, frequencies of system calls and ordering‐of‐system calls made by the processes to calculate the similarity between the processes. Proposes the use of Kendall Tau distance to calculate the similarity in terms of ordering of system calls in the process. The k nearest neighbor ( k NN) classifier is used to categorize a process as either normal or abnormal. The experimental results, performed on 1998 DARPA data, are very promising and show that the proposed scheme results in a high detection rate and low rate of false positives. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Information Management & Computer Security Emerald Publishing

Frequency‐ and ordering‐based similarity measure for host‐based intrusion detection

Loading next page...
 
/lp/emerald-publishing/frequency-and-ordering-based-similarity-measure-for-host-based-BUdO02vFCO
Publisher
Emerald Publishing
Copyright
Copyright © 2004 Emerald Group Publishing Limited. All rights reserved.
ISSN
0968-5227
DOI
10.1108/09685220410563397
Publisher site
See Article on Publisher Site

Abstract

This paper discusses a new similarity measure for the anomaly‐based intrusion detection scheme using sequences of system calls. With the increasing frequency of new attacks, it is getting difficult to update the signatures database for misuse‐based intrusion detection system (IDS). While anomaly‐based IDS has a very important role to play, the high rate of false positives remains a cause for concern. Defines a similarity measure that considers the number of similar system calls, frequencies of system calls and ordering‐of‐system calls made by the processes to calculate the similarity between the processes. Proposes the use of Kendall Tau distance to calculate the similarity in terms of ordering of system calls in the process. The k nearest neighbor ( k NN) classifier is used to categorize a process as either normal or abnormal. The experimental results, performed on 1998 DARPA data, are very promising and show that the proposed scheme results in a high detection rate and low rate of false positives.

Journal

Information Management & Computer SecurityEmerald Publishing

Published: Dec 1, 2004

Keywords: Data security; Computer crime; System monitoring

References