This paper presents the design and performance evaluation of a host-based misuse intrusion detection system for the Linux operating system. The proposed system employs a feature extraction technique based on principal component analysis, which is called Eigentraces, of operating system call trace data, and k-nearest neighbor algorithm for classification. The design is evaluated on the ADFA-LD dataset which entails one normal and six attack classes. Feature vectors are formed from fixed-size system call trace raw data through windowing and the principal component analysis, and serve as templates for the training phase. Classification of system call trace data that is in the form of feature vectors which are formulated through the Eigentraces procedure is accomplished using the k-nearest-neighbor algorithm. Two variants of the misuse intrusion detection system designs were evaluated through a simulation study on the ADFA-LD dataset: one design considered only two classes, namely normal and attack classes while the second design considered seven classes, namely one normal and six attack classes. In both cases the proposed design demonstrated very high performance. In overall, the misuse intrusion detection system was able to detect the attacks and predict the type of the attacks.
