Abstract
Intrusion detection has emerged as an important technique for network security. Due to the complex and dynamic properties of intrusion behaviors, machine learning and data mining methods have been widely employed to optimize the performance of intrusion detection systems (IDSs). However, the results of existing work still need to be improved both in accuracy and in computational efficiency. In this paper, a novel reinforcement learning approach is presented for host-based intrusion detection using sequences of system calls. A Markov reward process model is introduced for modeling the behaviors of system call sequences and the intrusion detection problem is converted to predicting the value functions of the Markov reward process. A temporal different learning algorithm using linear basis functions is used for value function prediction so that abnormal temporal behaviors of host processes can be predicted accurately and efficiently. The proposed method has advantages over previous algorithms in that the temporal property of system call data is well captured in a natural and simple way and better intrusion detection performance can be achieved. Experimental results on the MIT system call data illustrate that compared with previous work, the proposed method has better detection accuracy with low training costs.
Supported by the National Natural Science Foundation of China Under Grants 60303012, 60225015, Specialized Research Fund for the Doctoral Program of Higher Education under Grant 20049998027, Chinese Post-Doctor Science Foundation under Grant 200403500202, and A Project Supported by Scientific Research Fund of Hunan Provincial Education Department
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Denning, D.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13(2) (1987)
Lee, W.K., Stolfo, S.J.: A Data Mining Framework for Building Intrusion Detection Model. In: Gong, L., Reiter, M.K. (eds.) Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–132. IEEE Computer Society Press, Oakland (1999)
Mukkamala, S., Janoski, G., Sung, A.H.: Intrusion Detection Using Neural Networks and Support Vector Machines. In: Proceedings of IEEE International Joint Conference on Neural Networks, pp. 1702–1707 (2002)
Ryan, J., Lin, M.-J., Miikkulainen, R.: Intrusion Detection with Neural Networks. In: Advances in Neural Information Processing Systems, vol. 10. MIT Press, Cambridge (1998)
Lane, T., Brodley, C.: Temporal Sequence Learning and Data Reduction for Anomaly Detection. ACM Transactions on Information and System Security 2(3), 295–331 (1999)
Jha, S., Tan, K., Maxion, R.: Markov Chains, Classifiers, and Intrusion Detection. In: Proceddings of the Computer Security Foundations Workshop, CSFW (June 2001)
Warrender, C., Forresr, S., Pearlmutter, B.: Detecting Intrusions using System Calls: Alternative Data Models. In: Gong, L., Reiter, M.K. (eds.) Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society Press, Oakland (1999)
Kaelbling, L.P., Littman, M.L., Moore, A.W.: Reinforcement Learning: a Survey. Journal of Artificial Intelligence Research 4, 237–285 (1996)
Sutton, R.: Learning to Predict by the Method of Temporal Differences. Machine Learning 3(1), 9–44 (1988)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security 6(3), 151–180 (1998)
Rao, X., Dong, C.X., Yang, S.Q.: An Intrusion Detection System based on Support Vector Machine. Journal of Software 14(4), 798–803 (2003)
Xu, X., He, H.G., Hu, D.W.: Efficient Reinforcement Learning Using Recursive Least-Squares Methods. Journal of Artificial Intelligence Research 16, 259–292 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xu, X., **e, T. (2005). A Reinforcement Learning Approach for Host-Based Intrusion Detection Using Sequences of System Calls. In: Huang, DS., Zhang, XP., Huang, GB. (eds) Advances in Intelligent Computing. ICIC 2005. Lecture Notes in Computer Science, vol 3644. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11538059_103
Download citation
DOI: https://doi.org/10.1007/11538059_103
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28226-6
Online ISBN: 978-3-540-31902-3
eBook Packages: Computer ScienceComputer Science (R0)