Pairgram: Modeling frequency information of lookahead pairs for system call based anomaly detection

System call sequence based anomaly detection is one of the widely studied model of anomaly detection. There are two ways to model the system call sequences, one as full sequences and the other as lookahead pairs. Recently it has been shown that lookahead pairs perform better than full sequences. In this paper we propose an impurity tolerant model of anomaly detection using system calls called as Pairgram. Pairgram exploits the frequency information of lookahed pairs and build a model of normal behavior. As it is generally assumed that there is a skewed distribution of normal and abnormal sequences, more frequently occurring system call sequences are considered as normal and other way for less frequent sequences. A series of experiments on the University of New Mexico system call dataset demonstrated the effectiveness of Pairgram on impure dataset. Further the model is highly space efficient i.e., it has a constant space complexity of square of alphabet size of the program sequence.