Visualizing and Identifying Intrusion Context from System Calls Trace

Zhuowei Li
Nanyang Technological University
Singapore

Amitabha Das
Nanyang Technological University
Singapore

Anomaly-based Intrusion Detection (AID) techniques are useful for detecting novel intrusions without
known signatures. However, AID techniques suffer from higher false alarm rate compared to signaturebased
intrusion detection techniques. In this paper, the concept of intrusion context identification is
introduced to solve the problem. The identification of the intrusion context can help to significantly
enhance the detection rate and lower the false alarm rate of AID techniques. To evaluate the effectiveness
of the concept, a simple but representative scheme for intrusion context identification is proposed, in
which the anomalies in the intrusive datasets are visualized first, and then the intrusion contexts are
identified from the visualized anomalies. The experimental results show that using the scheme, the
intrusion context can be visualized and abstracted from the audit trails correctly. In addition, as an
application of the visualized anomalies, the efficiencies of stide and t-stide are compared and analyzed.
Finally, based on the identified intrusion context and the efficiency comparison, several findings are made
which can offer useful insights and benefit future research on AID techniques.

Keywords: Intrusion Detection, Stide, Intrusion Context Identification, Visualization of Anomaly

Read Paper Read Paper (in PDF)