@inproceedings{b8743635646846b98c2e577679e4d163,
title = "Learning process behavioral baselines for anomaly detection",
abstract = "Intrusion resilience is a protection strategy aimed at building systems that can continue to provide service during attacks. One approach to intrusion resilience is to continuously monitor a system's state and change its configuration to maintain service even while attacks are occurring. Intrusion detection, through both anomaly detection (for unknown attacks) and signature detection (for known attacks) is thus a crucial part of that resilience strategy. In this paper, we introduce KOBRA, an online anomaly detection engine that learns behavioral baselines for applications. KOBRA is implemented as a set of cooperative kernel modules that collects time-stamped process events. The process events are converted to a discrete-time signal in the polar space. We learn local patterns that occur in the data and then learn the normal co-occurrence relationships between the patterns. The patterns and the co-occurrence relations model the normal behavioral baseline of an application. We compute an anomaly score for tested traces and compare it against a threshold for anomaly detection. We evaluate the baseline by experimenting with its ability to discriminate between different processes and detect malicious behavior.",
keywords = "Anomaly detection, Behavioral baseline, Intrusion detection system, Intrusion resilience, Kernel monitoring",
author = "Fawaz, {Ahmed M.} and Sanders, {William H.}",
note = "Publisher Copyright: {\textcopyright} 2017 IEEE.; 22nd IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2017 ; Conference date: 22-01-2017 Through 25-01-2017",
year = "2017",
month = may,
day = "5",
doi = "10.1109/PRDC.2017.28",
language = "English (US)",
series = "Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC",
publisher = "IEEE Computer Society",
pages = "145--154",
editor = "Masato Kitakami and Kim, {Dong Seong} and Vijay Varadharajan",
booktitle = "Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017",
}