EARLY DETECTION OF INTRUSIONS AND MALWARE FOR LINUX BASED SYSTEMS

The system call based research for host intrusion detection systems (HIDSs) and Android malware detection systems (AMDSs) have been conducted over the past several years. Several HIDS and AMDS frameworks have been proposed using different intrusion and malware datasets. Security researchers have used several machine learning (ML) techniques to improve the classification performance with high accuracy and low false-alarm rate. However, the emphasis on real-world deployment of HIDS and AMDS for intrusion and malware detection is limited. To address this issue, we propose a system call traces processing framework with the ability to perform early detection of intrusions and malware. In the proposed framework, a limited number of system calls are analyzed which are invoked by the processes/applications during their early execution. To verify the efficiency, we perform the experiments on a publicly available intrusion dataset known as ADFA-LD dataset and a self-constructed dataset for Android environment. We analyze both the datasets with statistical methods, and process the selected traces with 2-4 gram model and Term Frequency–Inverse Document Frequency (TF-IDF) model during the extraction of features. We train six ML classifiers using the datasets including Decision Tree, Random Forest, Multi-layer Perceptron, K-nearest-neighbor, Multi-variable Naive Bayesian, and Support Vector Machine. The experimental results demonstrate that the performance of proposed HIDS and AMDS are similar to the approaches that used all the system calls invoked during the full execution of applications. We also develop a client-server architecture based Android app for our Android malware detection system.