Host intrusion detection for long stealthy system call sequences

Abstract

In this paper, we present SC2, an unsupervised learning classifier for detecting host intrusions from sequences of process system calls. SC2 is a naïve Bayes-like classifier based on Markov Model. We describe the classifier, and then provide experimental results on the University of New Mexico's four system call trace data sets, namely Synthetic Sendmail UNM, Synthetic Sendmail CERT, live lpr UNM and live lpr MIT. SC2 classification results are compared to leading machine learning techniques namely, Naive Bayes multinomial (NBm), C4.5 (decision tree), RIPPER (RP), support vector machine (SVM), and logistic regression (LR). Initial findings show that the accuracy of SC2 is comparable to those of leading classifiers, while SC2 has a better detection rate than some of these classifiers on some data sets. SC2 can classify efficiently very long stealthy sequences by using a backtrack, scale and re-multiply technique, together with estimation of standard IEEE 754-2008 relative error of floating-point arithmetic for an acceptable classification confidence.