There have been two well-known models for host based intrusion detection.They are called Anomaly Intrusion Detection (AID) model andMisuse Intrusion Detection (MID) model.The former model analyzes user behavior and the statistics of a processin normal situation and it checks whether the system is being used in a different manner.The latter model maintains database of known intrusion technique anddetects intrusion by comparing a behavior against the database.An intrusion detection method based on an AID model can detect a newintrusion method however it needs to update the data describing users behaviorand the statistics in normal usage. We call these information profiles.There are several problems in AID to be addressed.The profiles are tend to be large.Detecting intrusion needs a large amount of system resource likeCPU time and memory and disk space.An MID model requires less amount of system resource to detect intrusion.However it cannot detect new unknown intrusion methods.Our method solves these problems by recording system calls from daemon processes and setuid programs.We have further improved the method to eliminate false positive intrusion detections by adopting a DP matching scheme.

There have been two well-known models for host based intrusion detection.They are called Anomaly Intrusion Detection (AID) model andMisuse Intrusion Detection (MID) model.The former model analyzes user behavior and the statistics of a processin normal situation,and it checks whether the system is being used in a different manner.The latter model maintains database of known intrusion technique anddetects intrusion by comparing a behavior against the database.An intrusion detection method based on an AID model can detect a newintrusion method, however it needs to update the data describing users behaviorand the statistics in normal usage. We call these information profiles.There are several problems in AID to be addressed.The profiles are tend to be large.Detecting intrusion needs a large amount of system resource, likeCPU time and memory and disk space.An MID model requires less amount of system resource to detect intrusion.However it cannot detect new, unknown intrusion methods.Our method solves these problems by recording system calls from daemon processes and setuid programs.We have further improved the method to eliminate false positive intrusion detections by adopting a DP matching scheme.