Grimmer, M. ; Kaelble, T. ; Rahm, E.

Improving Host-based Intrusion Detection Using Thread Information

Symposium on Emerging Information Security and Applications (EISA) 2021

2021 / 11



Host-based anomaly detection for identifying attacks typically analyzes sequences or frequencies of system calls. However, most of the known approaches ignore the fact that software in modern IT systems is multithreaded so that different system calls may belong to different threads and users. In this work, we show that anomaly detection algorithms can be improved by considering thread information. For this purpose, we extend seven algorithms and comparatively evaluate their effectiveness with and without the use of thread information. The evaluation is based on the LID-DS dataset providing suitable thread information.