An Unsupervised Host-Based Anomaly Intrusion Detection Technique Based on Non-negative Matrix Factorization

摘要

The unsupervised anomaly detection system based on network traffic has been developed well for these years, but task of modeling noisy behaviors based on system calls is rarely concerned. Considering system calls are important monitored data to describe behaviors, we propose a simple unsupervised algorithm for anomaly intrusion detection to deal with noisy data based on system calls. We count occurrence frequency of unique system calls existed in a processes to form the frequency representation, and use non-negative matrix factorization(NMF) to project these representations into a lower dimension linear subspace. We use the property that projected points generated by NMF scatter along eigenvectors or planes to identify noisy behaviors. The UNM dataset is used to test the algorithm's ability of detecting intrusion behaviors. We analyzed aspects that should affect the accuracy of detecting results and figure out that the method we proposed shows a satisfying performance. It is shown that this algorithm guarantees not only the accuracy of detecting results but also stability of detecting results.