FGMC-HADS: Fuzzy Gaussian mixture-based correntropy models for detecting zero-day attacks from linux systems

摘要

As existing system calls-based Host Anomaly Detection Systems (HADSs) exclude hidden patterns that can reside in the elapsed times of system calls with respect to the lifecycle of a kernel-calling process, they lack precision in the construction of behavioral regions for assisting in reliably protecting hosts against modern unknown attacks. In this paper, a HADS, the so-called Fuzzy Gaussian Mixture-based Correntropy (FGMC-HADS), based on the fuzzy rough set attribute reduction (FRAR) method, Gaussian mixture model (GMM) and Correntropy mechanism, is proposed. FGMC-HADS comprises two novel modules: (1) the FRAR method is applied to combine system calls' identifiers and elapsed times to construct relevant hidden patterns; and (2) the GMM and Correntropy approaches is an anomaly detection technique, the so-called 'Corr-GMM', developed to fuse multivariate features and recognize unknown anomalous activities, respectively. The posterior probabilities of the GMM are used as input to the Correntropy model to determine the time-series interdependencies of host activities, and then the Corr-GMM constructs legitimate boundaries as a threshold for discovering abnormal behaviors. The proposed FGMC-HADS is trained and validated using the datasets of NGIDS-DS, KDD-98 and new ToNJoT of Linux data. The experimental results indicate that the proposed FGMC-HADS a reliable defense layer for Linux-based hosts against unknown attacks compared with other compelling HIDS techniques.