Fuzzy intrusion detection system via data mining technique with sequences of system calls

Abstract

There are two main approaches for implementing IDS; host based and network based. While the former is implemented in the form of software deployed on a host, the latter, usually is built as a hardware product with its own hardware platform (IDS appliance). In this paper, a host based intrusion detection system, that uses the idea of tracing system calls, is introduced. As a program runs, it uses the services of the underlying operating system to do some system calls. This system does not exactly need to know the program codes of each process. Normal and intrusive behaviors are collected with gathering the sequences of system calls for each process. Analysis of data is done via data mining and fuzzy techniques. Data mining is used to extract the normal behavior. The proposed system is shown to improve the performance, and decrease size of database, time complexity, and the rate of false alarms.