Intrusion Detection Model Of Host System Call Sequence Based On Neighbor Algorithm

The technique of intrusion detection based on sequence of host system call mainly focused on the data set of host system call, which is the kernel function of an operating system. As the character of kernel of operating system, sequence of system call can be used to detect the behavior of system without care of differentiation of user, and can be more effective in controlling the usage of privilege program and in preventing abusing.Classical intrusion detection model based on sequence of host system call, such as enumerating sequences model and data mining model, divided the character mode into two classes to identify the behavior of user as normal and abnormal ones. But the characters, whose frequencies are low compared to other characters, always violated the result of intrusion detection system, because their presentation could not tell us exactly the behavior of the user of the computer was normal or abnormal. In this thesis, these sequences were classed as the third character class, which means paltry ones. So, the sequences are classified as three classes Normal, Abnormal and Paltry ones. A modelmixed anomaly detection and misuse detection was founded on this three classes character space. The information hided in the sequence of system call short sequence on time was picked out to adjust the character of a short sequence at its position, whose behavior was more reliable to its environment. The neighbor algorithm was constructed to meet the need of the idea above. Using this method, the property of false negative was improved.Through the study of basic construction of intrusion detection system on sequence of host system call, we discussed the distribution of character mode of system call in mathematics. The conception of multi-classes intrusion detection system on sequence of host system call was definited. The algorithm of neighbor was designed and applied, and based on which, fuzzy algorithm of neighbor was created.The experiment of enumerating sequences model and data mining model were repeated. The theory of models of intrusion detection based on system call sequence was studied, and the method to improve the classic model was discussed. All these models were compared in this thesis, based on the classic data sets provide by University of New Mexico, which were used in the competition of international meeting of intrusion detection. The result shows that mixed model can enhance the ability of intrusion detection efficiently. The abnormal characters picked out in this mix model were more than that in classic ones, so it is excellent in detection of unknown attacking.