Towards a better similarity algorithm for host-based intrusion detection system
An intrusion detection system plays an essential role in system security by discovering and preventing malicious activities. Over the past few years, several research projects on host-based intrusion detection systems (HIDSs) have been carried out utilizing the Australian Defense Force Academy Linux...
Main Authors: | , , |
---|---|
Format: | Article |
Language: | English |
Published: |
De Gruyter
2023-04-01
|
Series: | Journal of Intelligent Systems |
Subjects: | |
Online Access: | https://doi.org/10.1515/jisys-2022-0259 |
_version_ | 1797832471866245120 |
---|---|
author | Ouarda Lounis Malika Bourenane Brahim Bouderah |
author_facet | Ouarda Lounis Malika Bourenane Brahim Bouderah |
author_sort | Ouarda Lounis |
collection | DOAJ |
description | An intrusion detection system plays an essential role in system security by discovering and preventing malicious activities. Over the past few years, several research projects on host-based intrusion detection systems (HIDSs) have been carried out utilizing the Australian Defense Force Academy Linux Dataset (ADFA-LD). These HIDS have also been subjected to various algorithm analyses to enhance their detection capability for high accuracy and low false alarms. However, less attention is paid to the actual implementation of real-time HIDS. Our principal objective in this study is to create a performant real-time HIDS. We propose a new model, “Better Similarity Algorithm for Host-based Intrusion Detection System” (BSA-HIDS), using the same dataset ADFA-LD. The proposed model uses three classifications to represent the attack folder according to certain criteria, the entire system call sequence is used. Furthermore, this work uses textual distance and compares five algorithms like Levenshtein, Jaro–Winkler, Jaccard, Hamming, and Dice coefficient, to classify the system call trace as attack or non-attack based on the notions of interclass decoupling and intra-class coupling. The model can detect zero-day attacks because of the threshold definition. The experimental results show a good detection performance in real-time for Levenshtein/Jaro–Winkler algorithms, 99–94% in detection rate, 2–5% in false alarm rate, and 3,300–720 s in running time, respectively. |
first_indexed | 2024-04-09T14:08:24Z |
format | Article |
id | doaj.art-180f54a9cfc1437faf5dc632ccbd8912 |
institution | Directory Open Access Journal |
issn | 2191-026X |
language | English |
last_indexed | 2024-04-09T14:08:24Z |
publishDate | 2023-04-01 |
publisher | De Gruyter |
record_format | Article |
series | Journal of Intelligent Systems |
spelling | doaj.art-180f54a9cfc1437faf5dc632ccbd89122023-05-06T15:50:45ZengDe GruyterJournal of Intelligent Systems2191-026X2023-04-013215559560510.1515/jisys-2022-0259Towards a better similarity algorithm for host-based intrusion detection systemOuarda Lounis0Malika Bourenane1Brahim Bouderah2Computer Science Department, Industrial Computing and Networking Laboratory-RIIR, University Oran 1, Ahmed Ben Bella, 31000, Oran, AlgeriaComputer Science Department, Industrial Computing and Networking Laboratory-RIIR, University Oran 1, Ahmed Ben Bella, 31000, Oran, AlgeriaComputer Science Department, University of M’sila, 28000, M'Sila, AlgeriaAn intrusion detection system plays an essential role in system security by discovering and preventing malicious activities. Over the past few years, several research projects on host-based intrusion detection systems (HIDSs) have been carried out utilizing the Australian Defense Force Academy Linux Dataset (ADFA-LD). These HIDS have also been subjected to various algorithm analyses to enhance their detection capability for high accuracy and low false alarms. However, less attention is paid to the actual implementation of real-time HIDS. Our principal objective in this study is to create a performant real-time HIDS. We propose a new model, “Better Similarity Algorithm for Host-based Intrusion Detection System” (BSA-HIDS), using the same dataset ADFA-LD. The proposed model uses three classifications to represent the attack folder according to certain criteria, the entire system call sequence is used. Furthermore, this work uses textual distance and compares five algorithms like Levenshtein, Jaro–Winkler, Jaccard, Hamming, and Dice coefficient, to classify the system call trace as attack or non-attack based on the notions of interclass decoupling and intra-class coupling. The model can detect zero-day attacks because of the threshold definition. The experimental results show a good detection performance in real-time for Levenshtein/Jaro–Winkler algorithms, 99–94% in detection rate, 2–5% in false alarm rate, and 3,300–720 s in running time, respectively.https://doi.org/10.1515/jisys-2022-0259adfa-ldlevenshteinjaro–winklerbsa-hidszero-day attacksystem call sequencessimilarity68m25 |
spellingShingle | Ouarda Lounis Malika Bourenane Brahim Bouderah Towards a better similarity algorithm for host-based intrusion detection system Journal of Intelligent Systems adfa-ld levenshtein jaro–winkler bsa-hids zero-day attack system call sequences similarity 68m25 |
title | Towards a better similarity algorithm for host-based intrusion detection system |
title_full | Towards a better similarity algorithm for host-based intrusion detection system |
title_fullStr | Towards a better similarity algorithm for host-based intrusion detection system |
title_full_unstemmed | Towards a better similarity algorithm for host-based intrusion detection system |
title_short | Towards a better similarity algorithm for host-based intrusion detection system |
title_sort | towards a better similarity algorithm for host based intrusion detection system |
topic | adfa-ld levenshtein jaro–winkler bsa-hids zero-day attack system call sequences similarity 68m25 |
url | https://doi.org/10.1515/jisys-2022-0259 |
work_keys_str_mv | AT ouardalounis towardsabettersimilarityalgorithmforhostbasedintrusiondetectionsystem AT malikabourenane towardsabettersimilarityalgorithmforhostbasedintrusiondetectionsystem AT brahimbouderah towardsabettersimilarityalgorithmforhostbasedintrusiondetectionsystem |