Affiliation:
1. School of Cyber Science and Engineering, Sichuan University, Chengdu 610065, China
2. Zhihuiyuntian Technology, Chengdu 610031, China
Abstract
The system call sequences of processes are important for host-based anomaly detection. However, the detection accuracy can be seriously degenerated by the subsequences which simultaneously appeared in the call sequences of both normal and abnormal processes. Furthermore, the detection may be obstructed especially when the normal/abnormal distributions of subsequences are extremely imbalanced along with many ambiguous samples. In the paper, the system call sequences are divided into weighted subsequences with fixed-length. Secondly, a suffix tree of each system call sequence is constructed to automatically extract the variable-length subsequence from the longest repeated substring of the tree. The frequencies of the fixed-and variable-length subsequences that appeared in each system call sequence constitute its feature vector. Finally, vectors are input into a cost-sensitive and relaxed support vector machine, in which the penalty-free slack of the relaxed SVM is split independently between the two classes with different weights. The experimental results on two public datasets ADFA-LD and UNM showed that the AUC of the proposed method can reach 99%, while the false alarm rate is only 2.4%.
Funder
National Key Research and Development Program of China
Subject
Computer Networks and Communications,Information Systems
Reference32 articles.
1. Sense of self for unix processes;S. Forrest
2. Intrusion detection using sequences of system calls
3. Detecting intrusions using system calls: alternative data models;C. Warrender
4. Host-based data exfiltration detection via system call sequences;B. Jewell
5. A statistically based system for prioritizing information exploration under uncertainty
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献