Towards a better similarity algorithm for host-based intrusion detection system

IF 2.1 Q3 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE
Lounis Ouarda, Malika Bourenane, Bouderah Brahim
{"title":"Towards a better similarity algorithm for host-based intrusion detection system","authors":"Lounis Ouarda, Malika Bourenane, Bouderah Brahim","doi":"10.1515/jisys-2022-0259","DOIUrl":null,"url":null,"abstract":"Abstract An intrusion detection system plays an essential role in system security by discovering and preventing malicious activities. Over the past few years, several research projects on host-based intrusion detection systems (HIDSs) have been carried out utilizing the Australian Defense Force Academy Linux Dataset (ADFA-LD). These HIDS have also been subjected to various algorithm analyses to enhance their detection capability for high accuracy and low false alarms. However, less attention is paid to the actual implementation of real-time HIDS. Our principal objective in this study is to create a performant real-time HIDS. We propose a new model, “Better Similarity Algorithm for Host-based Intrusion Detection System” (BSA-HIDS), using the same dataset ADFA-LD. The proposed model uses three classifications to represent the attack folder according to certain criteria, the entire system call sequence is used. Furthermore, this work uses textual distance and compares five algorithms like Levenshtein, Jaro–Winkler, Jaccard, Hamming, and Dice coefficient, to classify the system call trace as attack or non-attack based on the notions of interclass decoupling and intra-class coupling. The model can detect zero-day attacks because of the threshold definition. The experimental results show a good detection performance in real-time for Levenshtein/Jaro–Winkler algorithms, 99–94% in detection rate, 2–5% in false alarm rate, and 3,300–720 s in running time, respectively.","PeriodicalId":46139,"journal":{"name":"Journal of Intelligent Systems","volume":"20 1","pages":""},"PeriodicalIF":2.1000,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Intelligent Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1515/jisys-2022-0259","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}
引用次数: 0

Abstract

Abstract An intrusion detection system plays an essential role in system security by discovering and preventing malicious activities. Over the past few years, several research projects on host-based intrusion detection systems (HIDSs) have been carried out utilizing the Australian Defense Force Academy Linux Dataset (ADFA-LD). These HIDS have also been subjected to various algorithm analyses to enhance their detection capability for high accuracy and low false alarms. However, less attention is paid to the actual implementation of real-time HIDS. Our principal objective in this study is to create a performant real-time HIDS. We propose a new model, “Better Similarity Algorithm for Host-based Intrusion Detection System” (BSA-HIDS), using the same dataset ADFA-LD. The proposed model uses three classifications to represent the attack folder according to certain criteria, the entire system call sequence is used. Furthermore, this work uses textual distance and compares five algorithms like Levenshtein, Jaro–Winkler, Jaccard, Hamming, and Dice coefficient, to classify the system call trace as attack or non-attack based on the notions of interclass decoupling and intra-class coupling. The model can detect zero-day attacks because of the threshold definition. The experimental results show a good detection performance in real-time for Levenshtein/Jaro–Winkler algorithms, 99–94% in detection rate, 2–5% in false alarm rate, and 3,300–720 s in running time, respectively.
针对基于主机的入侵检测系统,提出一种更好的相似度算法
入侵检测系统通过发现和阻止恶意活动,在系统安全中起着至关重要的作用。在过去几年中,利用澳大利亚国防军学院Linux数据集(ADFA-LD)开展了几个基于主机的入侵检测系统(hids)的研究项目。这些HIDS还进行了各种算法分析,以提高其检测能力,实现高精度和低误报。然而,很少有人关注实时HIDS的实际实施。我们在这项研究中的主要目标是创建一个高性能的实时HIDS。我们提出了一个新的模型,“基于主机的入侵检测系统的更好的相似算法”(BSA-HIDS),使用相同的数据集ADFA-LD。该模型按照一定的标准使用三种分类来表示攻击文件夹,使用整个系统调用序列。此外,这项工作使用文本距离并比较五种算法,如Levenshtein, Jaro-Winkler, Jaccard, Hamming和Dice系数,根据类间解耦和类内耦合的概念将系统调用跟踪分类为攻击或非攻击。由于阈值定义,该模型可以检测到零日攻击。实验结果表明,Levenshtein/ Jaro-Winkler算法具有良好的实时检测性能,检测率为99 ~ 94%,虚警率为2 ~ 5%,运行时间为3300 ~ 720 s。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Journal of Intelligent Systems
Journal of Intelligent Systems COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE-
CiteScore
5.90
自引率
3.30%
发文量
77
审稿时长
51 weeks
期刊介绍: The Journal of Intelligent Systems aims to provide research and review papers, as well as Brief Communications at an interdisciplinary level, with the field of intelligent systems providing the focal point. This field includes areas like artificial intelligence, models and computational theories of human cognition, perception and motivation; brain models, artificial neural nets and neural computing. It covers contributions from the social, human and computer sciences to the analysis and application of information technology.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信