Host-based Intrusion Detection And Prediction Algorithms

Intrusion Detection is an important security technology of protecting information system as well as firewall and data encryption techniques. Intrusion Detection System (IDS) has great capabilities in identifying the malicious behaviors in networks and responding to them. As the important composition part of the security system and the indispensable supplement of other safe practice means, people pay more attention to it, and are more dependent on it than before.Current intrusion detection systems show poor performance on detection effect when the original data sets base on system-call are very large.To aim at processing of large amounts of audit data for effective intrusion detection, we present a novel Non-negative Matrix Factorization (NMF) based method with high efficiency but low overhead. We improve this method by using one-way sliding windows and double-way sliding windows. Both sequence and frequency character are analyzed in the phase of preprocessing with typical system call data,and the problem of intrusion detection is convened to the problem of outlier detection of points in vector space.The computed frequencies of individual system calls generated by a process and individual commands embedded in a block are transformed into data column vectors as data input NMF can reduce the high dimensional data vectors. And high dimension vector space is projected to low dimension space.Finally anomaly detection is achieved in low dimension space.We also aim at resolving the prediction method of Intrusion Detection System. Use plan recognition theory for intrusion detection prediction. By using the system call sequences as observation data, recognize the plan of anomaly behavior.At present the research about computer system security assessment in our country has just begun. System security assessment could detect the threat in computer systems. It's a very important technology of active defense. The problem is also a part of our job in this paper. For audit data, we evaluate the system security assessment and then use time series model to forecast the security situation of computer system. We had used this model in our Network situation assessment and prediction sub-system. By establish the threshold values, the sub-system will alarm user when it is necessary.