 
 
 
 
 
 
   
 Next: Introduction
 Up: Using Text Categorization Techniques
 Previous: Using Text Categorization Techniques
A new approach, based on the k-Nearest Neighbor (kNN) classifier, is used to classify program 
behavior as normal or intrusive. 
Short sequences of system calls have been used by others to characterize a program's normal behavior 
before. However, 
separate databases of short system call sequences have to be built for different programs, and learning 
program profiles involves time-consuming training and testing processes. With the kNN classifier, the 
frequencies of system calls are used to describe the program behavior. Text categorization techniques are 
adopted to convert each process to a vector and calculate the similarity between two program 
activities. Since there is no need to learn individual program profiles separately, the calculation 
involved is 
largely reduced. Preliminary experiments with 1998 DARPA BSM audit data show that the kNN classifier
can effectively detect intrusive attacks and achieve a low false positive rate. 
Yihua Liao
2002-05-13