Host intrusion detection using system call argument-based clustering combined with Bayesian classification

Dissertant

Koucham, Walid

Thesis advisor

Asim, Nasir
Rashidi, Taj al-Din

University

Al Akhawayn University

Faculty

School of Science and Engineering

Department

Computer Science

University Country

Morocco

Degree

Master

Degree Date

2014

English Abstract

We deal in this project with anomaly-based host intrusion detection using system call traces produced by a host's kernel.

Calls' arguments, together with contextual information and domain level knowledge are used, rst, to produce clusters for each individual system call.

These clusters are further used to rewrite process sequences of system calls obtained from kernel logs.

Results of clustering validation using the Silhouette width and validation are provided as well as a manual analysis of the produced clusters.

The new sequences are then fed to a nave Bayes supervised classi er (SC2.2) that builds class conditional probabilities from Markov modeling of system call sequences.

The results of our proposed two-stage (that is clustering followed by classi cation) intrusion detection system on the 1999 DARPA dataset from the MIT Lincoln Lab show signi cant performance improvements in terms of false positive rate (up to 20% improvements) , while maintaining a high detection rate when compared with other classi ers.

The two-stage classi er fares also better than bare classi cation with SC2.2 on system calls without arguments and contextual knowledge.

Main Subjects

Information Technology and Computer Science

Topics

• Data protection
• Computers
• Computer networks
• Security measures

No. of Pages

69

Table of Contents

• APA
• MLA
• AMA

Language

English

Data Type

Arab Theses

Record ID

BIM-646384