JCP 2010 Vol.5(8): 1219-1226 ISSN: 1796-203X
doi: 10.4304/jcp.5.8.1219-1226
doi: 10.4304/jcp.5.8.1219-1226
A Useful Anomaly Intrusion Detection Method Using Variable-length Patterns and Average Hamming Distance
Ye Du1, Ruhui Zhang1, and Youyan Guo2
1 Department of Computer Engineering, School of Computer and Information Technology, Beijing Jiaotong University, Beijing, China
2 Information Management Center, Beijing Anzhen Hospital, Capital Medical University, Beijing, China
Abstract—Intrusion detection techniques at the level of system processes are discussed, and a new method named VAHD (Variable-length Average Hamming Distance) is presented, which can be used to monitor and calculate deviation to discriminate between normal and abnormal sequences of system calls. For the reason that fixed-length patterns can not describe the system behavior correctly and its inability to represent long meaningful substrings, the VAHD method use Teiresias to get variable-length patterns and construct the normal set. Then the algorithm for detection is described in detail, and the pseudocode is also given. The method has some advantages, such as algorithm simplicity, low overhead of time, high accuracy and realtime detection. The prototype experiments with four attacks prove the validation of the method, which has high True Positive Rate and low False Positive Rate.
Index Terms—anomaly intrusion detection, variable-length patterns, average hamming distance, system call
2 Information Management Center, Beijing Anzhen Hospital, Capital Medical University, Beijing, China
Abstract—Intrusion detection techniques at the level of system processes are discussed, and a new method named VAHD (Variable-length Average Hamming Distance) is presented, which can be used to monitor and calculate deviation to discriminate between normal and abnormal sequences of system calls. For the reason that fixed-length patterns can not describe the system behavior correctly and its inability to represent long meaningful substrings, the VAHD method use Teiresias to get variable-length patterns and construct the normal set. Then the algorithm for detection is described in detail, and the pseudocode is also given. The method has some advantages, such as algorithm simplicity, low overhead of time, high accuracy and realtime detection. The prototype experiments with four attacks prove the validation of the method, which has high True Positive Rate and low False Positive Rate.
Index Terms—anomaly intrusion detection, variable-length patterns, average hamming distance, system call
Cite: Ye Du, Ruhui Zhang, and Youyan Guo, " A Useful Anomaly Intrusion Detection Method Using Variable-length Patterns and Average Hamming Distance," Journal of Computers vol. 5, no. 8, pp. 1219-1226, 2010.
General Information
ISSN: 1796-203X
Abbreviated Title: J.Comput.
Frequency: Bimonthly
Abbreviated Title: J.Comput.
Frequency: Bimonthly
Editor-in-Chief: Prof. Liansheng Tan
Executive Editor: Ms. Nina Lee
Abstracting/ Indexing: DBLP, EBSCO, ProQuest, INSPEC, ULRICH's Periodicals Directory, WorldCat,etc
E-mail: jcp@iap.org
-
Nov 14, 2019 News!
Vol 14, No 11 has been published with online version [Click]
-
Mar 20, 2020 News!
Vol 15, No 2 has been published with online version [Click]
-
Dec 16, 2019 News!
Vol 14, No 12 has been published with online version [Click]
-
Sep 16, 2019 News!
Vol 14, No 9 has been published with online version [Click]
-
Aug 16, 2019 News!
Vol 14, No 8 has been published with online version [Click]
- Read more>>