Intrusion detection model of host system call sequence based on neighbor algorithm

The Enumerating Sequences Model, one of the intrusion detection model based on host system call sequences, strictly separated the short sequence data to be detected into normal and abnormal classes. Without considering the impurity and incompletion of the training data set for constructing model, the model before did not care of the instability of the sequences appearing in normal training data set with low frequency. In order to avoid the influence of the blemish data in normal training data set on the intrusion detection model, this paper separate the training data set into three classes as the normal abnormal and paltry data, which is based on the analysis of the host system call short sequence data set. The, perturbation of the sequence is redefined, and a model mixed anomaly detection and misuse detection system is constructed. The relationship among short sequences listed by time was studied to enhance the ability of model detection and neighbor algorithm was provided to decide the property of the user's behavior with the granularity of labeled sequences. The experiment of Enumerating Sequences Model and Data Mining Model were repeated, and, as the result showing, the mixed model can enhance the ability of intrusion detection efficiently on the same training data set. The character of abnormal behavior is more prominence. The abnormal degrees of knowing and unknowing attacking are all having a better performance, and the generalization ability of the model is improved.