Research On Anomaly Detection Modeling Based On System Call Traces By Support Vector Machine

With the development of network technology, network has been extensively used. With the popularization and application of network, more and more attentions are being focused on the networking security, Intrusion detection has emerged as an important approach in computer security.In this thesis, we address the problem of detecting intrusive activities by using host-based data as the source. In particular, program profiles based on Unix system calls are modeled. The generalizing ability of current IDS (intrusion detection system) is poor when given less priori knowledge. It is found that the IDS based on SVM needs less priori knowledge than other methods and can shorten the training time under the same detection performance condition. Utilizing SVM (support vector machines) in IntrusionDetection, the generalizing ability of IDS is still good when the sample size is small (less priori knowledge). Classical intrusion detection model based on sequence of host system call divided the character mode into two classes. But the characters of some short sequences, whose frequencies are lower compared to others, should be violated from the normal or abnormal mode, because their presentation could not tell us exactly the behavior of the user of the computer was normal or abnormal. So, the sequences are classified as three classes , such as Normal, Abnormal and Paltry ones. The behavior of a paltry short sequence behavior was more reliable to its environment. The neighbor algorithm was constructed to determine the characters of the paltry short sequences.First, the approach of an intrusion detection based on support vector machine is discussed. Then the paltry short sequence is provided and the improvement of intrusion detection method based on support vector machine is introduced. Finally, An example using system call trace data, which is usually used in intrusion detection, is given to illustrate the performance of this method. And comparison of detection ability between the method and thetraditional detection method based on SVM.The result of the experiment demonstrates the approach of this paper not only uses the advantage of SVM in classification, such as high ability in generalization ,short training time and it still has good performance even if given less priori knowledge. But also, comparing with traditional method, it can represent the characters of behavior more accurately. Then it has also good performance in increasing the abnormal degree of abnormal behavior and identifying unknown attacks.