|
Abstract:
|
A major problem of existing anomaly intrusion detection approaches is that they tend to
produce excessive false alarms. One reason for this is that the normal and abnormal behaviour of
a monitored object can overlap or be very close to each other, which makes it difficult to define a
clear boundary between the two. In this paper, we present a fuzzy-based scheme for program
anomaly intrusion detection using system calls. Instead of using crisp conditions, or fixed
thresholds, fuzzy sets are used to represent the parameter space of the program sequences of
system calls. In addition, fuzzy rules are used to combine multiple parameters of each sequence,
using fuzzy reasoning, in order to determine the sequence status. Experimental results showed that
the proposed fuzzy-based detection scheme reduced false positive alarms by 48%, compared to the
normal database scheme. |