Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems

Host-based anomaly detection systems (HADS) serves as the second line of defense after cyber attacks have penetrated the network level defense. The major components of reliable HADS includes enriched data source (DS), computational efficient data feature retrieval (DFR), accurate and fast decision engine (DE). ADFA-LD is a recently published data set which reflects the invisible threat environment of modern computer system. The existing HADS utilizing ADFA-LD as DS, exhibits high computational DFR and inferior performance of the DE at real-time. The major drawback is inability to acquire representative features from host activities. Confronting this drawback in this paper, at DFR a character data zero watermark inspired statistical based strategy is developed for integer data to extract hidden reliable or representative features from system calls of the trace. At DE, three supervised machine learning classifiers such as support vector machine (SVM) with linear and radial bases function (RBF) kernels and k-nearest neighbor (KNN) are evaluated across detection rate (DR), false alarm rate (FAR) and computational time. The numerical trials validates that the suggested statistical feature extraction strategy at DFR and KNN at DE can attain acceptable performance at real-time