Learning process behavioral baselines for anomaly detection

Ahmed M. Fawaz, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Intrusion resilience is a protection strategy aimed at building systems that can continue to provide service during attacks. One approach to intrusion resilience is to continuously monitor a system's state and change its configuration to maintain service even while attacks are occurring. Intrusion detection, through both anomaly detection (for unknown attacks) and signature detection (for known attacks) is thus a crucial part of that resilience strategy. In this paper, we introduce KOBRA, an online anomaly detection engine that learns behavioral baselines for applications. KOBRA is implemented as a set of cooperative kernel modules that collects time-stamped process events. The process events are converted to a discrete-time signal in the polar space. We learn local patterns that occur in the data and then learn the normal co-occurrence relationships between the patterns. The patterns and the co-occurrence relations model the normal behavioral baseline of an application. We compute an anomaly score for tested traces and compare it against a threshold for anomaly detection. We evaluate the baseline by experimenting with its ability to discriminate between different processes and detect malicious behavior.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017
EditorsMasato Kitakami, Dong Seong Kim, Vijay Varadharajan
PublisherIEEE Computer Society
Pages145-154
Number of pages10
ISBN (Electronic)9781509056514
DOIs
StatePublished - May 5 2017
Event22nd IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2017 - Christchurch, New Zealand
Duration: Jan 22 2017Jan 25 2017

Publication series

NameProceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC
ISSN (Print)1541-0110

Other

Other22nd IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2017
CountryNew Zealand
CityChristchurch
Period1/22/171/25/17

Keywords

  • Anomaly detection
  • Behavioral baseline
  • Intrusion detection system
  • Intrusion resilience
  • Kernel monitoring

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Computer Science Applications
  • Hardware and Architecture
  • Software

Fingerprint Dive into the research topics of 'Learning process behavioral baselines for anomaly detection'. Together they form a unique fingerprint.

  • Cite this

    Fawaz, A. M., & Sanders, W. H. (2017). Learning process behavioral baselines for anomaly detection. In M. Kitakami, D. S. Kim, & V. Varadharajan (Eds.), Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017 (pp. 145-154). [7920608] (Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC). IEEE Computer Society. https://doi.org/10.1109/PRDC.2017.28