Intrusion Detection Research Of Host System Call Sequence Based On Classification

Intrusion Detection is a hot topic in network security in recent years, and is a kind of active measure of information assurance. The task of an Intrusion Detection System (IDS) is to monitor the running of the networks according to some pre-specified policy and try to find the intrusive activities. It means to protect the confidentiality, integrity and usability of the network resources.The technique of Intrusion Detection based on sequence of host system call mainly focused on the data set of host system call. Host system call is the kernel function of an operating system. The sequences of system call are stable over time, and can be used to detect the behavior of system. At present, most of the attacks exploit the vulnerabilities or flaws of the privileged processes in computer.Firstly, the definition of system calls is studied in this thesis, and some key captured method of system calls are analyzed in detail. In this foundation, the arithmetic of C4.5 and RIPPER are introduced, and their application is also given out.Secondly, the data of the experiment comes from University of New Mexico, which contains the normal data and the abnormal data. The sequences of normal and abnormal can be got by scanning target data. The normal and abnormal mode is finished. And then the detection capability of model with different window size is given out. Because of the repetition of the sequence in each model, we delete the redundant data. Besides, some sequences appeared both in normal model and abnormal model, which leads to inefficient of classification. In this thesis, all the sequences in normal model are labeled normal, and the sequence only appeared in abnormal model labeled abnormal. Then, following the input data standard of C4.5 and RIPPER arithmetic, the thesis formats the data sets. And the advantages and disadvantages of the classification are educed.At last, on base of model design, we also design an experiment of different character model. The very important thing to Intrusion Detection based on Data Mining is methodology for building and using dataset, including the training dataset and the testing dataset. The quality of training dataset directly affects the quality of pattern set, and so affects the efficiency of detection. Because of the paroxysmal of abnormal data, that the proportion of normal data and the abnormal data is not balanced. In the second experiment, we do replication for abnormal data to achieve a balance with normal data. And then analyzed the capability of classification, some primary fruits are achieved in my work, and it will be valuable to a certain extent.