Reducing False Positive Rate in Anomaly Detection through Generalization of System calls


  1. Murtaza, S.S.
  2. Hamou-Lhadj, A.
  3. Couture, M.
Corporate Authors
Defence R&D Canada - Valcartier, Valcartier QUE (CAN);Concordia Univ, Montreal QUE (CAN)
Prior researchers only focus on applying different algorithms and heuristics on data to improve the accuracy of anomaly detection systems. However, high false positives are still the main issue in anomaly detection despite the use of different algorithms. This means the problem is not just with the application of algorithms but also with the discriminating strength of the data. This paper addresses the problem of reducing the false positive rate (irrespective of the algorithm) by removing the unnecessary contiguous repetition of system calls. We apply sliding window algorithm on traces that do not contain the contiguous repetition of system calls. Our results on the subject programs Sendmail, Stide, lpr and Xlock show that average false positive rate on the actual traces is higher than the 69% results on traces without contiguous repetitions; whereas, true positive rate remains the same. This shows that false positives could be reduced significantly if we remove unnecessary repetitions of system calls from traces.
Report Number
DRDC-VALCARTIER-SL-2011-523 — Scientific Literature
Date of publication
01 Oct 2011
Number of Pages
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: