SpringerLink
Log in

A Reinforcement Learning Approach for Host-Based Intrusion Detection Using Sequences of System Calls

  • Conference paper
Advances in Intelligent Computing (ICIC 2005)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3644))

Included in the following conference series:

Abstract

Intrusion detection has emerged as an important technique for network security. Due to the complex and dynamic properties of intrusion behaviors, machine learning and data mining methods have been widely employed to optimize the performance of intrusion detection systems (IDSs). However, the results of existing work still need to be improved both in accuracy and in computational efficiency. In this paper, a novel reinforcement learning approach is presented for host-based intrusion detection using sequences of system calls. A Markov reward process model is introduced for modeling the behaviors of system call sequences and the intrusion detection problem is converted to predicting the value functions of the Markov reward process. A temporal different learning algorithm using linear basis functions is used for value function prediction so that abnormal temporal behaviors of host processes can be predicted accurately and efficiently. The proposed method has advantages over previous algorithms in that the temporal property of system call data is well captured in a natural and simple way and better intrusion detection performance can be achieved. Experimental results on the MIT system call data illustrate that compared with previous work, the proposed method has better detection accuracy with low training costs.

Supported by the National Natural Science Foundation of China Under Grants 60303012, 60225015, Specialized Research Fund for the Doctoral Program of Higher Education under Grant 20049998027, Chinese Post-Doctor Science Foundation under Grant 200403500202, and A Project Supported by Scientific Research Fund of Hunan Provincial Education Department

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 85.59
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 106.99
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Denning, D.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13(2) (1987)

    Google Scholar 

  2. Lee, W.K., Stolfo, S.J.: A Data Mining Framework for Building Intrusion Detection Model. In: Gong, L., Reiter, M.K. (eds.) Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–132. IEEE Computer Society Press, Oakland (1999)

    Google Scholar 

  3. Mukkamala, S., Janoski, G., Sung, A.H.: Intrusion Detection Using Neural Networks and Support Vector Machines. In: Proceedings of IEEE International Joint Conference on Neural Networks, pp. 1702–1707 (2002)

    Google Scholar 

  4. Ryan, J., Lin, M.-J., Miikkulainen, R.: Intrusion Detection with Neural Networks. In: Advances in Neural Information Processing Systems, vol. 10. MIT Press, Cambridge (1998)

    Google Scholar 

  5. Lane, T., Brodley, C.: Temporal Sequence Learning and Data Reduction for Anomaly Detection. ACM Transactions on Information and System Security 2(3), 295–331 (1999)

    Article  Google Scholar 

  6. Jha, S., Tan, K., Maxion, R.: Markov Chains, Classifiers, and Intrusion Detection. In: Proceddings of the Computer Security Foundations Workshop, CSFW (June 2001)

    Google Scholar 

  7. Warrender, C., Forresr, S., Pearlmutter, B.: Detecting Intrusions using System Calls: Alternative Data Models. In: Gong, L., Reiter, M.K. (eds.) Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society Press, Oakland (1999)

    Google Scholar 

  8. Kaelbling, L.P., Littman, M.L., Moore, A.W.: Reinforcement Learning: a Survey. Journal of Artificial Intelligence Research 4, 237–285 (1996)

    Google Scholar 

  9. Sutton, R.: Learning to Predict by the Method of Temporal Differences. Machine Learning 3(1), 9–44 (1988)

    Google Scholar 

  10. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security 6(3), 151–180 (1998)

    Google Scholar 

  11. Rao, X., Dong, C.X., Yang, S.Q.: An Intrusion Detection System based on Support Vector Machine. Journal of Software 14(4), 798–803 (2003)

    MATH  Google Scholar 

  12. Xu, X., He, H.G., Hu, D.W.: Efficient Reinforcement Learning Using Recursive Least-Squares Methods. Journal of Artificial Intelligence Research 16, 259–292 (2002)

    MATH  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer, National University of Defense Technology, 410073, Changsha, P. R. China

    **n Xu & Tao **e

  2. Institute of Automation, National University of Defense Technology, 410073, Changsha, P. R. China

    **n Xu

Authors
  1. **n Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tao **e
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Intelligent Computing Lab, Institute of Intelligent Machines, Chinese Academy of Sciences,, China

    De-Shuang Huang

  2. School of Computer & Information Technology, Bei**g Jiaotong University, 100044, Bei**g, P.R. China

    **ao-** Zhang

  3. School of Electrical and Electronic Engineering, Nanyang Technological University, P.O. Box, Singapore

    Guang-Bin Huang

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Xu, X., **e, T. (2005). A Reinforcement Learning Approach for Host-Based Intrusion Detection Using Sequences of System Calls. In: Huang, DS., Zhang, XP., Huang, GB. (eds) Advances in Intelligent Computing. ICIC 2005. Lecture Notes in Computer Science, vol 3644. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11538059_103

Download citation

  • DOI: https://doi.org/10.1007/11538059_103

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-28226-6

  • Online ISBN: 978-3-540-31902-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation