The Architecture of Host-based Intrusion Detection Model Generation System for the Frequency Per System Call

There have been a number of researches to apply data mining techniques to intrusion detection. However, most of researches have mainly focused on the intrusion detection system in network area and have been done shortly in host area by applying a certain data mining technique to host-based intrusion detection. In this paper, we propose the architecture of host-based intrusion detection model generation system which creates candidate models by various and popular existing data mining techniques and one new technique (sC4.5) for the process behavior data set with the frequency feature per system call and then elects the best appropriate model according to user requirements after evaluating candidate models. The frequency feature per system call is simpler than the existing system call sequence feature in applying to intrusion detection system as the model. We also propose sC4.5 as a decision tree classification algorithm by complimenting existing C4.5 algorithm. sC4.5 preserves classification accuracy like C4.5 and make the decision tree smaller than C4.5.