Loading...

Intelligent Anomaly-Based Intrusion Detection in Linux Kernel

Almasian, Negar | 2008

704 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: English
  3. Document No: 39278 (52)
  4. University: Sharif University of Technology, International Campus, Kish Island
  5. Department: Science and Engineering
  6. Advisor(s): Azmi, Reza
  7. Abstract:
  8. The growth of intelligent attacks has prompted the designers to envision the intrusion detection as a built-in process in operating systems. This thesis investigates a novel anomaly-based intrusion detection mechanism which utilizes the manner of interactions between users and kernel processes to bring functionality to this notion. In fact, this mechanism is inspired by homeostatic behavior of an organism. Homeostatic is the property of an open system or a closed system, particularly a living organism, which regulates its internal environment to maintain a stable, constant condition. Such a developed mechanism can provide the computer system with a high level of protection from artificial invading pathogens, in a robust and self-organized manner. In this way, the weaknesses of the current security techniques such as false negative alarms can be mitigated.
    To prepare an adequate feature list for distinction between normal and anomalous behavior, two methods have been used. The first one is using Linux kernel audit daemon to filter out unnecessary data, reform and normalize selected output. The other method is introducing a new component to Linux kernel as a wrapper module with necessary hook function to log initial data for preparing desired features list. This module can prepare a pore log file from a specific subsystem of Linux kernel.
    To improve the dataset exactness the meaningful fields of feature list has been spread. SVM neural network was applied to classify and recognize input vectors. One-class SVM has been using with just normal feature, as the training input and the test dataset was consist of normal and abnormal features, this method is reliable because the abnormal test dataset is unseen for the SVM classifier and we can rely on the results. The classification accuracy was improved by adding some abnormal features to the test dataset and implementing a binary feature classification. The sequence of delayed input vectors was appended to examine the effectiveness of the system call consecution.
    The evaluation method for the Intelligent Intrusion Detection system was simulation method and improvement in some metrics such as accuracy, training time and testing time was compared with the other similar systems. Finally, experiments examining the efficiency, flexibility, robustness and efficacy of the system are presented at the end of the thesis document
  9. Keywords:
  10. Artificial Intelligence ; Support Vector Machine (SVM) ; Intrusion Detection System

 Digital Object List

  • محتواي پايان نامه
  •   view

 Bookmark

No TOC