An intrusion detection system plays an essential role in system security by discovering and preventing malicious activities. Over the past few years, several research projects on host-based intrusion detection systems (HIDSs) have been carried out utilizing the Australian Defense Force Academy Linux Dataset (ADFA-LD). These HIDS have also been subjected to various algorithm analyses to enhance their detection capability for high accuracy and low false alarms. However, less attention is paid to the actual implementation of real-time HIDS. Our principal objective in this study is to create a performant real-time HIDS. We propose a new model, “Better Similarity Algorithm for Host-based Intrusion Detection System” (BSA-HIDS), using the same dataset ADFA-LD. The proposed model uses three classifications to represent the attack folder according to certain criteria, the entire system call sequence is used. Furthermore, this work uses textual distance and compares five algorithms like Levenshtein, Jaro–Winkler, Jaccard, Hamming, and Dice coefficient, to classify the system call trace as attack or non-attack based on the notions of interclass decoupling and intra-class coupling. The model can detect zero-day attacks because of the threshold definition. The experimental results show a good detection performance in real-time for Levenshtein/Jaro–Winkler algorithms, 99–94% in detection rate, 2–5% in false alarm rate, and 3,300–720 s in running time, respectively.
Policy Interaction Graph Analysis is a Host-based Intrusion Detection tool that uses Linux MAC Mandatory access control policy to build the licit information flow graph and uses a detection policy defined by the administrator to extract illicit behaviour from the graph. The main limitation of this tool is the generation of a huge signature base of illicit behaviours; hence, this leads to the use of huge memory space to store it. Our primary goal in this article is to reduce this memory space while keeping the tool’s efficiency in terms of intrusion detection rate and false generated alarms. First, the interactions between the two nodes of the graph were grouped into a single interaction. The notion of equivalence class was used to classify the paths in the graph and was compressed by using a genetic algorithm. Such an approach showed its efficiency compared to the approach proposed by Pierre Clairet, by which the detection rate obtained was 99.9%, and no false-positive with a compression rate of illicit behaviour signature database reached 99.44%. Having these results is one of the critical aspects of realizing successful host-based intrusion detection systems.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.