Anomaly-Based Intrusion Detection System Sharing Normal Behavior Databases among Different Machines

A number of studies have examined anomaly detection systems based ontraining of system call sequences in the normal execution ofapplications. However, many of these anomaly detection systems havelow detection accuracy when the training is not sufficient. Thisoccurs because the normal behavior data obtained through training onone machine cannot be used for detection on another machine. In thispaper, we propose an anomaly detection system that sharesnormal behavior data between multiple machines. In the proposedsystem, normal behavior data obtained on each machine is accumulatedin a server and the integrated data is distributed to each machine.This system improves the detection accuracy by integrating the dataused for anomaly detection on each machine. The proposed system notonly provides a straightforward algorithm for integration, but alsotwo improved algorithms, namely, the majority algorithm and thesimilarity algorithm. The proposed system was implemented on theLinux operating system, and its behavior was compared experimentallywith that of an existing system.