A Classical and Hybrid Machine Learning Model for Host-Based Intrusion Systems
摘要
The increasing complexity of malware, especially zero-day and polymorphic types, challenges host-based intrusion detection systems (HIDS). Signature-based methods, effective against known threats, struggle with new attacks and suffer from database growth, limiting scalability. Anomaly detection using system call sequences can identify unknown malware but often needs lengthy sequences (>600 calls) for high accuracy (>99%), leading to slow responses. This paper introduces a novel BestFirst-SVM framework that improves anomaly detection by shortening sequence length through optimised feature selection, achieving 97.35% accuracy and a 0.94 F1-score. The approach was tested on the AWSCTD dataset, comparing classical (KNN, SVM, MLP), hybrid (PSO-NB, PSO-KNN, PSO-SVM, PSO-MLP), and BestFirst-SVM models. Conducted on Google Colaboratory, this study sets benchmarks for accuracy, sensitivity, specificity, and computational efficiency, providing a resource-efficient option for real-time HIDS applications.