Sequence-similarity kernels for SVMs to detect anomalies in system calls

In intrusion detection systems (IDSs), short sequences of system calls executed by running programs can be used as evidence to detect anomalies. In this paper, one-class support vector machines (SVMs) using sequence-similarity kernels are adopted as the anomaly detectors. Edit distance-based kernel and common subsequence-based kernel are proposed to utilize the sequence information in the detection. Algorithms for efficient computation of the kernels are derived with the techniques of dynamic programming and bit-parallelism. The experimental results indicate that the proposed kernels can significantly outperform the standard RBF kernel.