A Typical Set Method of Intrusion Detection Technology Base on Computer Audit Data

Abstract

The signature database of intrusion detection system is usually built by the short sequences of system call. The real-time efficiency and accuracy of intrusion detection is greatly influenced by the scale of signature database and the approach of intrusion data analysis. In this paper, a typical set method is provided to compress the normal signature database. Using the data set of UNM CERT sendmail for testing, the feasibility of typical set method is validated, and a proper rate of typical set for intrusion detection is proposed. Meanwhile, the LSM (Linux Security Modules) framework is presented to hook system calls and other audit data from operation system to build intrusion detection system signature database and identify intrusion activity. A system service process oriented detection idea is also introduced to make the intrusion detection more pertinent and accurate. Abnormal detection experiments results show good performance of our intrusion detection method.