Frequency‐ and ordering‐based similarity measure for host‐based intrusion detection

Sanjay Rawat (Department of Computer and Information Sciences, University of Hyderabad, Hyderabad, India and Institute for Development and Research in Banking Technology (IDRBT), Hyderabad, India)
V.P. Gulati (Institute for Development and Research in Banking Technology (IDRBT), Hyderabad, India, and)
Arun K. Pujari (Department of Computer and Information Sciences, University of Hyderabad, Hyderabad, India)

Information Management & Computer Security

ISSN: 0968-5227

Publication date: 1 December 2004

Abstract

This paper discusses a new similarity measure for the anomaly‐based intrusion detection scheme using sequences of system calls. With the increasing frequency of new attacks, it is getting difficult to update the signatures database for misuse‐based intrusion detection system (IDS). While anomaly‐based IDS has a very important role to play, the high rate of false positives remains a cause for concern. Defines a similarity measure that considers the number of similar system calls, frequencies of system calls and ordering‐of‐system calls made by the processes to calculate the similarity between the processes. Proposes the use of Kendall Tau distance to calculate the similarity in terms of ordering of system calls in the process. The k nearest neighbor (kNN) classifier is used to categorize a process as either normal or abnormal. The experimental results, performed on 1998 DARPA data, are very promising and show that the proposed scheme results in a high detection rate and low rate of false positives.

Keywords

Citation

Rawat, S., Gulati, V. and Pujari, A. (2004), "Frequency‐ and ordering‐based similarity measure for host‐based intrusion detection", Information Management & Computer Security, Vol. 12 No. 5, pp. 411-421. https://doi.org/10.1108/09685220410563397

Download as .RIS

Publisher

:

Emerald Group Publishing Limited

Copyright © 2004, Emerald Group Publishing Limited

Please note you might not have access to this content

You may be able to access this content by login via Shibboleth, Open Athens or with your Emerald account.
If you would like to contact us about accessing this content, click the button and fill out the form.
To rent this content from Deepdyve, please click the button.