Syscall-BSEM: Behavioral semantics enhancement method of system call sequence for high accurate and robust host intrusion detection

The system call sequence is widely used as raw data due to its prospective performance in host-based intrusion detection methods using machine learning. However, evolutionary intrusion attacks such as the obfuscation technique can achieve the same invasion purpose and effect while changing the malicious system call combination to bypass the abnormal identification, which makes the detection results not robust and even invalid. In this paper, we present a behavioral semantics enhancement method of system call sequence to overcome the problem. This method combines sequence completion to extend behavior information capacity with system calls abstraction and invocation switching differential encoding to improve abstractive representation ability. To complete behavioral semantics features extraction and data classification, the enhanced sequences are transformed to vector matrices and input into the multi-channel Text-CNN. Evaluation experiments show that the proposed method outperforms all of the compared works significantly, which suggests it has a more accurate and robust performance in detecting obfuscation attacks.