Sequences Of System Calls For Intrusion Detection

From late age 80 of century 20,the intrusion detection based on system call sequences appeared and have made a big success,that has leaded to one new research branch in intrusion detection field.This method asserts true or false by stating short system call sequences in latest short term.The basic criterion is probability of the short system call sequence.One of advantages of intrusion detection based on system call sequences is that the model is so simple.Based on S.Forest's initial method,many researchers began to praise new methods,such as STIDE,T-STIDE,Markov model and so on.Of these ones,the Markov model is one kind of state transition probability model.In the model,it needs to use the short system call sequences of train dataset to construct states and transition probability matrix of Markov model,and then use the existed model to detect the system call sequence in the test dataset.All the methods prove to be high efficiency in some degree.This paper puts forward the improved method based on Markov model.3 aspects have been improved:1) double layers Markov intrusion detection model;2) compressed Markov model;3) detection method based on path entropy.These improvements make the model efficiency and expansibility.One kind of dataset corresponds to one kind of Markov chain(MC).In the experiments,first,building up improved Markov model by the improvements 2) and 3);second,analyzing the dataset and praising the way to pick traces of one dataset; third,measuring true positive ratio and false positive ratio;fourth,comparing the improved Markov model to the others on efficiency.Besides these,compressed Markov model has also been analyzed.The experiments conclude that the improved Markov model not only works well but also increasing true positive ratio and decreasing false positive ratio.And the model cuts the time cost and enhancing detection efficiency by using Hash data structure.Also,the detecting method based on path entropy needs 3 arguments.In order to gain high exactness,we only adjust the 3 arguments.The experiment gives the suggested range of the arguments.The detecting index is exact,simple and easy configured.The detecting method is useful for intrusion detection. So,the improved Markov model is useful not only in applications but also in theory.