Integer Data Zero-Watermark Assisted System Calls Abstraction and Normalization for Host Based Anomaly Detection Systems

Abstract

The generation of representative computer system behavior profile from system calls in LINUX environments to establish reliable Host Based Anomaly Detection Systems (HADS) against Next Generation of Attacks (NGA) is a challenge due to two major reasons. Firstly, NGA causes a low footprint upon host activities and consequently, attack activities are difficult to detect from normal computer processes in terms of accuracy and processing time. Secondly, there is no effective method to extract the natural difference from the two different types of traces (e.g. normal or abnormal) of system calls. Following these reasons, a semi-supervised model is proposed, which is comprised of two parts. Firstly, to establish an unsupervised computer behavior classification, an integer data zero-watermarking algorithm is developed to extract abstract hidden representation of system calls. This hidden representation constitutes the natural difference between attack and normal computer system behavior in real-time. Secondly, various supervised Machine Learning (ML) algorithms and normalizations are realized with proposed hidden representation of the system calls to evaluate the semi-supervised model in HADS. To evaluate the performance in terms of accuracy and processing time, the publicly available bench mark host based data sets: ADFA-LD and KDD 98 have been utilized. Each data set is the collection of traces of processes and each trace comprises of process's system calls. Experimental results shows that the suggested semi-supervised model outperforms existing methodologies in terms of accuracy and processing time for the detection of low and high foot print attacks.