10,875 research outputs found
Classification Trees as a Technique for Creating Anomaly-Based Intrusion Detection Systems
Intrusion detection is a critical component of security information systems. The intrusion detection process attempts to detect malicious
attacks by examining various data collected during processes on the protected system. This paper examines the anomaly-based intrusion detection
based on sequences of system calls. The point is to construct a model that
describes normal or acceptable system activity using the classification trees
approach. The created database is utilized as a basis for distinguishing the
intrusive activity from the legal one using string metric algorithms. The
major results of the implemented simulation experiments are presented and
discussed as well
Searching System Call Information for Clues: The Effects of Intrusions of Processes
The United States Air Force extensively uses information systems as a tool managing and maintaining its information. The increased dependence on these systems in recent years has necessitated the need for protection front threats of information warfare and cyber terrorism. One type of protection utilizes intrusion detection systems to provide indications that intrusive behavior has occurred. Other types of protection may include packet filtering, cryptography and strong user authentication. Traditional approaches toward intrusion detection rely on features that are external to computer processes. By treating processes as black-boxes, intrusion detection systems may miss a wealth of information that could be useful for detecting intrusions. This thesis effort investigate the effectiveness of anomaly-based intrusion detection using system call information from a computational process. Previous work uses sequences of system calls to identity anomalies in processes. Instead of sequences of system calls, information associated with each system call is used to build a profile of normality that may be used to detect a process deviation. Such information includes parameters passed, results returned and the instruction pointer associated with the system call. Three methods of detecting deviations are evaluated for this problem. These include direct matching, relaxed matching and artificial immune system matching techniques. The test data used includes stack-based buffer overflows, heap-based buffer overflows and file binding race conditions. Results from this effort show that although attempted exploits were difficult to detect, certain actual exploits were easily detectable from system call information. In addition, each of the matching approaches provides some indication of anomalous behavior, however each has strengths and limitations. This effort is considered a piece of the defense-in- depth model of intrusion detection
Detecting intrusions using system calls: alternative data models
Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable—sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data modeling methods to represent normal behavior accurately and to recognize intrusions. We compare the following methods: Simple enumeration of observed sequences, comparison of relative frequencies of different sequences, a rule induction technique, and Hidden Markov Models (HMMs). We discuss the factors affecting the performance of each method, and conclude that for this particular problem, weaker methods than HMMs are likely sufficient
Classifying System Call Traces using Anomalous Detection
We used data mining techniques to detect intrusions among system call traces and have outlined our results. Recent work at the intersection of security and machine learning has lead to better understanding of anomalous intrusion detection. There is a need to more thoroughly understand how anomaly detection can be used because of its potential applications and advantages over current standard methods. In this thesis, we report on a new approach of anomalous detection using system call traces. Our goal is to be able to create a system that can accurately detect hacking attacks by analyzing the sequences of system calls the operating system is performing. We will look at how this data can be processed to achieve correct detection of intrusions on a system. In the end, we will outline ways in which system call traces can be leveraged as well as what we can do and learn from these results
Comparison of System Call Representations for Intrusion Detection
Over the years, artificial neural networks have been applied successfully in
many areas including IT security. Yet, neural networks can only process
continuous input data. This is particularly challenging for security-related
non-continuous data like system calls. This work focuses on four different
options to preprocess sequences of system calls so that they can be processed
by neural networks. These input options are based on one-hot encoding and
learning word2vec or GloVe representations of system calls. As an additional
option, we analyze if the mapping of system calls to their respective kernel
modules is an adequate generalization step for (a) replacing system calls or
(b) enhancing system call data with additional information regarding their
context. However, when performing such preprocessing steps it is important to
ensure that no relevant information is lost during the process. The overall
objective of system call based intrusion detection is to categorize sequences
of system calls as benign or malicious behavior. Therefore, this scenario is
used to evaluate the different input options as a classification task. The
results show, that each of the four different methods is a valid option when
preprocessing input data, but the use of kernel modules only is not recommended
because too much information is being lost during the mapping process.Comment: 12 pages, 1 figure, submitted to CISIS 201
Applying Bag of System Calls for Anomalous Behavior Detection of Applications in Linux Containers
In this paper, we present the results of using bags of system calls for
learning the behavior of Linux containers for use in anomaly-detection based
intrusion detection system. By using system calls of the containers monitored
from the host kernel for anomaly detection, the system does not require any
prior knowledge of the container nature, neither does it require altering the
container or the host kernel.Comment: Published version available on IEEE Xplore
(http://ieeexplore.ieee.org/document/7414047/) arXiv admin note: substantial
text overlap with arXiv:1611.0305
An Immune Inspired Approach to Anomaly Detection
The immune system provides a rich metaphor for computer security: anomaly
detection that works in nature should work for machines. However, early
artificial immune system approaches for computer security had only limited
success. Arguably, this was due to these artificial systems being based on too
simplistic a view of the immune system. We present here a second generation
artificial immune system for process anomaly detection. It improves on earlier
systems by having different artificial cell types that process information.
Following detailed information about how to build such second generation
systems, we find that communication between cells types is key to performance.
Through realistic testing and validation we show that second generation
artificial immune systems are capable of anomaly detection beyond generic
system policies. The paper concludes with a discussion and outline of the next
steps in this exciting area of computer security.Comment: 19 pages, 4 tables, 2 figures, Handbook of Research on Information
Security and Assuranc
- …