Enhanced network traffic anomaly detector
ICDCIT'05 Proceedings of the Second international conference on Distributed Computing and Internet Technology
| Hi-index | 0.00 |
Information and infrastructure security is a serious issueof global concern. As the last line of defense for securityinfrastructure, intrusion detection techniques are paidmore and more attention. In this paper, one anomaly-basedintrusion detection technique (ScanAID: StatisticalChAracteristics of N-grams for Anomaly-based IntrusionDetection) is proposed to detect intrusive behaviors in acomputer system. The statistical properties in sequencesof system calls are abstracted to model the normal behaviorsof a privileged process, in which the model is characterizedby a vector of anomaly values of N-grams. With areasonable definition of efficiency parameter, the length ofan N-gram and the size of the training dataset are optimizedto get an efficient and compact model. Then, with the optimalmodeling parameters, the flexibility and efficiency ofthe model are evaluated by the ROC curves. Our experimentalresults show that the proposed statistical anomalydetection technique is promising and deserves further research(such as applying it to network environments).