Frequency‐ and ordering‐based similarity measure for host‐based intrusion detection

Abstract

This paper discusses a new similarity measure for the anomaly‐based intrusion detection scheme using sequences of system calls. With the increasing frequency of new attacks, it is getting difficult to update the signatures database for misuse‐based intrusion detection system (IDS). While anomaly‐based IDS has a very important role to play, the high rate of false positives remains a cause for concern. Defines a similarity measure that considers the number of similar system calls, frequencies of system calls and ordering‐of‐system calls made by the processes to calculate the similarity between the processes. Proposes the use of Kendall Tau distance to calculate the similarity in terms of ordering of system calls in the process. The k nearest neighbor (kNN) classifier is used to categorize a process as either normal or abnormal. The experimental results, performed on 1998 DARPA data, are very promising and show that the proposed scheme results in a high detection rate and low rate of false positives.