tailieunhanh - Báo cáo " A program anomaly intrusion detection scheme based on fuzzy inference "

A major problem of existing anomaly intrusion detection approaches is that they tend to produce excessive false alarms. One reason for this is that the normal and abnormal behaviour of a monitored object can overlap or be very close to each other, which makes it difficult to define a clear boundary between the two. | VNU Journal of Science Natural Sciences and Technology 24 2008 71-81 A program anomaly intrusion detection scheme based on fuzzy inference Dau Xuan Hoang1 Minh Ngoc Nguyen2 department of Computer Science Faculty of Information Technology The Posts and Telecommunications Institute of Technology PTIT 122 Hoang Quoc Viet Cau Giay Hanoi Vietnam 2Vietnam Posts and Telecommunications VNPT 10th Floor Ocean Park Building Dao Duy Anh Dong Da Hanoi Vietnam Received 31 October 2007 Abstract. A major problem of existing anomaly intrusion detection approaches is that they tend to produce excessive false alarms. One reason for this is that the normal and abnormal behaviour of a monitored object can overlap or be very close to each other which makes it difficult to define a clear boundary between the two. In this paper we present a fuzzy-based scheme for program anomaly intrusion detection using system calls. Instead of using crisp conditions or fixed thresholds fuzzy sets are used to represent the parameter space of the program sequences of system calls. In addition fuzzy rules are used to combine multiple parameters of each sequence using fuzzy reasoning in order to determine the sequence status. Experimental results showed that the proposed fuzzy-based detection scheme reduced false positive alarms by 48 compared to the normal database scheme. Keywords anomaly intrusion detection fuzzy logic hidden Markov model program-based anomaly intrusion detection. 1. Introduction One of the most difficult tasks in anomaly intrusion detection is to determine the boundaries between the normal and abnormal behavior of a monitored object. A well-defined boundary helps an anomaly detection system correctly label the current behavior as normal or abnormal. Unfortunately the border between the normal and abnormal behavior may not Corresponding author. E-mail dauhoang@ always be precisely defined since the normal and abnormal behavior can overlap or be very close to each other 1-3 . .