TY  - JOUR
AB  - This paper discusses a new similarity measure for the anomaly‐based intrusion detection scheme using sequences of system calls. With the increasing frequency of new attacks, it is getting difficult to update the signatures database for misuse‐based intrusion detection system (IDS). While anomaly‐based IDS has a very important role to play, the high rate of false positives remains a cause for concern. Defines a similarity measure that considers the number of similar system calls, frequencies of system calls and ordering‐of‐system calls made by the processes to calculate the similarity between the processes. Proposes the use of Kendall Tau distance to calculate the similarity in terms of ordering of system calls in the process. The k nearest neighbor (kNN) classifier is used to categorize a process as either normal or abnormal. The experimental results, performed on 1998 DARPA data, are very promising and show that the proposed scheme results in a high detection rate and low rate of false positives.
VL  - 12
IS  - 5
SN  - 0968-5227
DO  - 10.1108/09685220410563397
UR  - https://doi.org/10.1108/09685220410563397
AU  - Rawat Sanjay
AU  - Gulati V.P.
AU  - Pujari Arun K.
PY  - 2004
Y1  - 2004/01/01
TI  - Frequency‐ and ordering‐based similarity measure for host‐based intrusion detection
T2  - Information Management & Computer Security
PB  - Emerald Group Publishing Limited
SP  - 411
EP  - 421
Y2  - 2024/04/19
ER  -