Developing a high-accuracy cross platform Host-Based Intrusion Detection System capable of reliably detecting zero-day attacks

摘要

Current anomaly host-based intrusion detection systems are limited in accuracy with any increase in detection rate resulting in a corresponding increase in false alarm rate. Furthermore, present technology is largely limited in scope to the Linux operating system, with the popular Windows family of computers forced to rely on signature-based protection schemes.This thesis investigates the development of a new approach to host-based intrusion detection system design with the specific aims of improving performance beyond that of existing technology and developing a cross platform approach to intrusion detection. This research has made three original and significant contributions to the field, and represents a marked advance in the body of knowledge.The first major contribution is the development of a new semantic approach to system call data processing, allowing the creation of host-based intrusion detection systems for the Linux operating system which perform significantly better than existing approaches. Performance was evaluated against existing datasets and also against a new modern dataset designed as part of this research. The second key contribution is the development of a new theory which allows the deployment of traditional system call centric Linux anomaly-based intrusion detection systems on the Windows operating system for the first time. This significant technological advance means that protection against zero-day attacks is now possible on this operating system for the first time. These results were tested using a second new dataset designed as part of this research.The final key contribution of this thesis is the development of a new attack methodology which is able to bypass traditional Windows signature-based defences without any obfuscation. The revelation of this new attack technology is an important contribution in and of itself as it allows the community of researchers worldwide to address this important weakness in current approaches. Notwithstanding this threat, host-based intrusion detection systems which use the first two new theories outlined in this thesis are shown to be able to detect this new attack class with a high degree of accuracy, allowing effective protection and significantly mitigating this threat.