Algorithm enhancement for host-based intrusion detection system using discriminant analysis

Abstract

Algorithms for building detection models are usually classified into two categories: misuse detection and anomaly detection. Misuse detection algorithms model know attack behavior. They compare sensor data to attack patterns learned from the training data. Anomaly detection algorithms model normal behavior. Anomaly detection models compare sensor data to normal patterns learned from the training data by using statistical method and try to detect activity that deviates from normal activity. Although Anomaly IDS might be complete, its accuracy is questionable since this approach suffers from a high false positive alarm rate and misclassification. This thesis expects an enhancement algorithm to be able to reduce a false positive alarm and misclassification rate. This research investigated a discriminant analysis method for detecting intrusions based on number of system calls during an activity on host machine. This method attempts to separate intrusions from normal activities. This research detects intrusions by analyzing at least system call occurring on activities, and can also tell whether an activity is an intrusion. The focus of this analysis is on original observations that performed a detecting outlier and power transformation to transform not normally distributed data to near normality. The correlation of each system calls are examined using coefficient correlations of each selected system call variables. This approach is a lightweight intrusion detection method, given that requires only nine system calls that are strongly correlated to intrusions for analysis. Moreover, this approach does not require user profiles or a user activity database in order to detect intrusions. Lastly, this method can reduce a high false positive alarm rate and misclassification for detecting process.