Improved Intrusive Process Detection Via Text Categorization

This paper compares the efficacy of two anomaly detection classifiers with respect to the classification of processes as either intrusive or non-intrusive. To the task of process classification, both classifiers treat processes as system call sequences, encode those system call sequences as text documents, and apply the k-nearest neighbor text categorization method to classify the processes. In these text documents, system call attributes are represented as weighted frequencies. One of the classifiers; an established anomaly detection classifier encodes system calls associated with a process as a vector of weighted frequencies. The other, putative classifier encodes pairs of sequential system calls as a twodimensional table of weighted frequencies. For a process, each entry in the table represents the weighted frequency of a transition from one system call to the next. As such the putative classifier categorizes processes based on local system call ordering and system call frequency, while the established classifier relies on system call frequency alone. Using the DARPA Off-line Intrusion Detection Evaluation data, this paper shows that the putative, weighted-table anomaly detection classifier more accurately identifies intrusive processes than the weighted-vector k-nearest neighbor classifier. By employing a more detailed encoding of system call sequences, the putative, weighted-table classifier achieves a higher detection rate while maintaining a low false positive rate relative to the weighted-vector classifier.