Skip to Main Content
Intrusion detection systems (IDSs) attempt to identify attacks by comparing new data to predefined signatures known to be malicious (misuse IDSs) or to a model of normal behavior (anomaly-based IDSs). Anomaly intrusion detection approaches have the advantage of detecting previously unknown or new attacks, but suffer from the possible high false alarms due to the problem of behavior drifting and the difficulty of building an adaptive model. In this paper, we propose a model based on the data mining technique - naïve Bayes classification to classify an input event (system call sequences generated from privileged processes) as “normal” or “anomalous” to detect system anomalous behavior. The independent frequency of each system call from a process collected under the normal conditions is the basis for the classifier. The ratio of the probability of a sequence from a process and the probability NOT from the process serves as the input of a fuzzy system for the classification. Experimental results in a data set consisting of both normal and intrusion traces show that the model can successfully detect most of intrusion traces with a very low false alarm rate.