Applying Bag of System Calls for Anomalous Behavior Detection of Applications in Linux Containers

In this paper, we present the results of using bags of system calls for learning the behavior of Linux containers for use in anomaly-detection based intrusion detection system. By using system calls of the containers monitored from the host kernel for anomaly detection, the system does not require any prior knowledge of the container nature, neither does it require altering the container or the host kernel.Comment: Published version available on IEEE Xplore (http://ieeexplore.ieee.org/document/7414047/) arXiv admin note: substantial text overlap with arXiv:1611.0305

An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls

Recently hidden Markov model (HMM) has been proved to be a good tool to model normal behaviours of privileged processes for anomaly intrusion detection based on system calls. However, one major problem with this approach is that it demands excessive computing resources in the HMM training process, which makes it inefficient for practical intrusion detection systems. In this paper a simple and efficient HMM training scheme is proposed by the innovative integration of multiple-observations training and incremental HMM training. The proposed scheme first divides the long observation sequence into multiple subsets of sequences. Next each subset of data is used to infer one sub-model, and then this sub-model is incrementally merged into the final HMM model. Our experimental results show that our HMM training scheme can reduce the training time by about 60% compared to that of the conventional batch training. The results also show that our HMM-based detection model is able to detect all denial-of-service attacks embedded in testing traces

Fraud Detection in Credit Card System Using Web Mining

Abstract: Now a day the usage of credit cards has dramatically increased. As credit card becomes the most popular mode of payment for both online as well as regular purchase, cases of fraud associated with it are also rising. Various techniques like classification, clustering and apriori of web mining will be integrated to represent the sequence of operations in credit card transaction processing and show how it can be used for the detection of frauds. Initially, web mining techniques trained with the normal behaviour of a cardholder. If an incoming credit card transaction is not accepted by the web mining model with sufficiently high probability, it is considered to be fraudulent. At the same time, the system will try to ensure that genuine transactions will not be rejected. Using data from a credit card issuer, a web mining model based fraud detection system will be trained on a large sample of labelled credit card account transactions and tested on a holdout data set that consisted of all account activity. Web mining techniques can be trained on examples of fraud due to lost cards, stolen cards, application fraud, counterfeit fraud, and mail-order fraud. The proposed system will be able to detect frauds by considering a cardholder"s spending habit without its significance. Usually, the details of items purchased in individual transactions are not known to any Fraud Detection System. The proposed system will be an ideal choice for addressing this problem of current fraud detection system. Another important advantage of proposed system will be a drastic reduction in the number of False Positives transactions. FDS module of proposed system will receive the card details and the value of purchase to verify, whether the transaction is genuine or not. If the Fraud Detection System module will confirm the transaction to be of fraud, it will raise an alarm, and the transaction will be declined

Network Attacks Detection by Hierarchical Neural Network

Intrusion detection is an emerging area of research in the computer security and net-works with the growing usage of internet in everyday life. Most intrusion detection systems (IDSs) mostly use a single classifier algorithm to classify the network traffic data as normal behavior or anomalous. However, these single classifier systems fail to provide the best possible attack detection rate with low false alarm rate. In this paper,we propose to use a hybrid intelligent approach using a combination of classifiers in order to make the decision intelligently, so that the overall performance of the resul-tant model is enhanced. The general procedure in this is to follow the supervised or un-supervised data filtering with classifier or cluster first on the whole training dataset and then the output are applied to another classifier to classify the data. In this re- search, we applied Neural Network with Supervised and Unsupervised Learning in order to implement the intrusion detection system. Moreover, in this project, we used the method of Parallelization with real time application of the system processors to detect the systems intrusions.Using this method enhanced the speed of the intrusion detection. In order to train and test the neural network, NSLKDD database was used. Creating some different intrusion detection systems, each of which considered as a single agent, we precisely proceeded with the signature-based intrusion detection of the network.In the proposed design, the attacks have been classified into 4 groups and each group is detected by an Agent equipped with intrusion detection system (IDS).These agents act independently and report the intrusion or non-intrusion in the system; the results achieved by the agents will be studied in the Final Analyst and at last the analyst reports that whether there has been an intrusion in the system or not. Keywords: Intrusion Detection, Multi-layer Perceptron, False Positives, Signature- based intrusion detection, Decision tree, Nave Bayes Classifie

LSTM 기반 언어 모델을 통한 침입 탐지 시스템

학위논문 (석사)-- 서울대학교 대학원 공과대학 전기·정보공학부, 2017. 8. 윤성로.컴퓨터 보안에서 견고한 침입 탐지 시스템을 설계하는 것은 가장 핵심적이고 중요한 문제 중의 하나이다. 본 논문에서는 비정상 기반 호스트 침입 탐지 시스템 설계를 위한 시스템 콜 시퀀스와 분기 시퀀스에 대한 언어 모델 방법을 제안한다. 기존의 방법에서 흔히 발생하는 높은 오탐율 문제를 해결하기 위해 여러 임계값 분류기를 혼합하여 정상적인 시퀀스들을 잘 모을 수 있는 새로운 앙상블 방법을 사용하였다. 본 언어 모델은 기존 방법들이 잘 하지 못했던 각 시스템 콜의 의미와 그들 간의 상호 작용을 학습 할 수 있다는 장점이 있다. 공개된 데이터들과 새롭게 생성한 데이터를 바탕으로 다양한 실험을 통해 제안 된 방법의 타당성과 유효성을 입증하였다. 또한, 본 모델이 높은 이식성을 갖고 있음을 보였다.국문초록 i Acknowledgement ii 1 Introduction 1 2 Language Model of System Call Sequences 6 2.1 Model Architecture 6 2.2 Baseline Classifiers 8 2.3 Performance Evaluation 9 3 Ensemble Method to Reduce False Alarms 14 3.1 Ensemble Method 14 3.2 Comparsion with Other Methods 15 4 Interpretation to Transfer Learning 19 4.1 Portability of Model 19 4.2 Visualization of Learned Representations 20 5 Generalization to Branch Sequences 23 5.1 Handling Open Vocabulary Problem 23 5.2 Experiments on Branch Sequences 24 5.3 Discussion on Branch Language Model 26 6 Future Work 28 6.1 Advanced Model Architecture 28 6.2 Finding Anomalous Segments 28 6.3 Adversarial Training 29 6.4 Online Learning Framework 30 7 Conclusion 31 References 32 Abstract 37Maste

Some Evaluations of the Effectiveness of Anomaly Based Intrusion Detection Systems Based on the Junction Tree Algorithm

ABSTRACT The aim of this paper is to present some evaluations of the effectiveness of IDS based on the junction tree algorithm (JTA). We stop our attention to two statistical methods -sensitivity and specificity which are functions of the true positive rate, the false negative rate and the false positive rate, the true negative rate respectively. Relationship between them is given by the receiver operating characteristic curve, which is one graphically method for estimation. For achieving a balance between the false positive rate and the false negative rate are used the crossover error rate

A Survey on Detection and Defense of Application Layer DDoS Attacks

As the time is passing on, the effect of DDoS attacks on Internet security is growing tremendously. Within a very little span there is a huge increase in the size and frequency of DDoS attacks. With the new technologies and new techniques, the attackers are finding more sophisticated ways to attack the servers. In this situation, it is necessary to come up with various mechanisms to detect and defend these DDoS attacks and protect the servers from the attackers. Many researches have been carried out to detect the DDoS attack traffic in transport layer, which is more vulnerable to DDoS attacks. DDoS attacks are more common in transport layer. Coming to application layer, they incur huge loss and it is very difficult to mitigate DDoS attacks even under the presence of strong firewalls and Intrusion Prevention Security. Researches are being conducted to mitigate application layer DDoS attacks. This Research contains a discussion of various types of DDoS attacks, their detection, and defense and prevention methods proposed by various researchers