Host Based Intrusion Detection System Using Frequency Analysis of N-Gram Terms

Host based Intrusion Detection Systems (HIDSs) analyze the sequence of system calls in the trace and audit log files to identify intrusive system processes. HIDSs use the frequency analysis of n-gram terms in the system call traces to identify intrusive processes. However, they are computation and resource intensive as they need to analyze a large number of n-gram input features to differentiate between normal and intrusive system processes. This put a severe limitation on their real time application while analyzing voluminous system call traces. To address this issue, we propose a computation efficient HIDS framework that initially transforms the system call traces to n-gram vector representational model and then uses a dimensionality reduction process to reduce the size of the input feature vectors. The dimensionality reduced n-gram feature vectors are finally analyzed by various machine learning based classifier models to identify intrusive processes. Performance evaluation of the proposed HIDS framework on the benchmark Australian Defense Force Academy Linux Dataset (ADFA-LD) shows that it effectively detects intrusive system processes with high accuracy and low false positive rate, while at the same time incur a minimum computational overhead.