COMBINATION OF MULTI-CHANNEL CNN AND BiLSTM FOR HOST-BASED INTRUSION DETECTION
A significant increase of intrusion events over the years imposes a challenge on the robust intrusion detection system. In a computer system, execution traces of its programs can be audited as sequences of system calls and provide a rich and expressive source of data to identify anomalous activities. This paper presents a deep learning model, which combines multi-channel CNN and bidirectional LSTM (BiLSTM) models, to detect abnormal executions in host-based intrusion detection systems. Multi-channel CNN with word embedding can in large extent be used to extract relationship features of system calls. Meanwhile, BiLSTM enables our model to understand the context of system call sequences thanks to capturing long-distance dependencies across the sequences. The integration of these two models leads to the efficient and effective detection of abnormal behaviors of a system. Experiment results on ADFA-LD dataset show that our approach outperforms other methods.