Intrusion detection using noisy training data

Abstract

One of the greatest difficulties in anomaly detection is to obtain training data having no intrusions. In anomaly detection, training data should be obtained from the target system. If there exists an intrusion in this data, the trained intrusion detection system will assume that it is normal and will not detect subsequent occurrences. In this paper, we present a system call based anomaly detection method that can detect intrusions effectively even though the training set contains intrusions. This scheme exploits the property that if there is an intrusion hidden in the training data, it is likely to consist of a sequence of elements having low frequencies of occurrence. Compared with the previous schemes, simulation results show that with the training data containing intrusions the proposed method has lower false positive rates and higher detection rates. Moreover, for clean training data our method and the previous schemes shows similar performance. The proposed method can be viewed as an approach to increase practicality of anomaly detection and to enhance reliability of security policy. © Springer-Verlag 2004.