Learning process behavioral baselines for anomaly detection

Ahmed M. Fawaz, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Intrusion resilience is a protection strategy aimed at building systems that can continue to provide service during attacks. One approach to intrusion resilience is to continuously monitor a system's state and change its configuration to maintain service even while attacks are occurring. Intrusion detection, through both anomaly detection (for unknown attacks) and signature detection (for known attacks) is thus a crucial part of that resilience strategy. In this paper, we introduce KOBRA, an online anomaly detection engine that learns behavioral baselines for applications. KOBRA is implemented as a set of cooperative kernel modules that collects time-stamped process events. The process events are converted to a discrete-time signal in the polar space. We learn local patterns that occur in the data and then learn the normal co-occurrence relationships between the patterns. The patterns and the co-occurrence relations model the normal behavioral baseline of an application. We compute an anomaly score for tested traces and compare it against a threshold for anomaly detection. We evaluate the baseline by experimenting with its ability to discriminate between different processes and detect malicious behavior.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017
EditorsMasato Kitakami, Dong Seong Kim, Vijay Varadharajan
PublisherIEEE Computer Society
Pages145-154
Number of pages10
ISBN (Electronic)9781509056514
DOIs
StatePublished - May 5 2017
Event22nd IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2017 - Christchurch, New Zealand
Duration: Jan 22 2017Jan 25 2017

Publication series

NameProceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC
ISSN (Print)1541-0110

Other

Other22nd IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2017
CountryNew Zealand
CityChristchurch
Period1/22/171/25/17

Fingerprint

Intrusion detection
Engines

Keywords

  • Anomaly detection
  • Behavioral baseline
  • Intrusion detection system
  • Intrusion resilience
  • Kernel monitoring

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Computer Science Applications
  • Hardware and Architecture
  • Software

Cite this

Fawaz, A. M., & Sanders, W. H. (2017). Learning process behavioral baselines for anomaly detection. In M. Kitakami, D. S. Kim, & V. Varadharajan (Eds.), Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017 (pp. 145-154). [7920608] (Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC). IEEE Computer Society. https://doi.org/10.1109/PRDC.2017.28

Learning process behavioral baselines for anomaly detection. / Fawaz, Ahmed M.; Sanders, William H.

Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017. ed. / Masato Kitakami; Dong Seong Kim; Vijay Varadharajan. IEEE Computer Society, 2017. p. 145-154 7920608 (Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Fawaz, AM & Sanders, WH 2017, Learning process behavioral baselines for anomaly detection. in M Kitakami, DS Kim & V Varadharajan (eds), Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017., 7920608, Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC, IEEE Computer Society, pp. 145-154, 22nd IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2017, Christchurch, New Zealand, 1/22/17. https://doi.org/10.1109/PRDC.2017.28
Fawaz AM, Sanders WH. Learning process behavioral baselines for anomaly detection. In Kitakami M, Kim DS, Varadharajan V, editors, Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017. IEEE Computer Society. 2017. p. 145-154. 7920608. (Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC). https://doi.org/10.1109/PRDC.2017.28
Fawaz, Ahmed M. ; Sanders, William H. / Learning process behavioral baselines for anomaly detection. Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017. editor / Masato Kitakami ; Dong Seong Kim ; Vijay Varadharajan. IEEE Computer Society, 2017. pp. 145-154 (Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC).
@inproceedings{b8743635646846b98c2e577679e4d163,
title = "Learning process behavioral baselines for anomaly detection",
abstract = "Intrusion resilience is a protection strategy aimed at building systems that can continue to provide service during attacks. One approach to intrusion resilience is to continuously monitor a system's state and change its configuration to maintain service even while attacks are occurring. Intrusion detection, through both anomaly detection (for unknown attacks) and signature detection (for known attacks) is thus a crucial part of that resilience strategy. In this paper, we introduce KOBRA, an online anomaly detection engine that learns behavioral baselines for applications. KOBRA is implemented as a set of cooperative kernel modules that collects time-stamped process events. The process events are converted to a discrete-time signal in the polar space. We learn local patterns that occur in the data and then learn the normal co-occurrence relationships between the patterns. The patterns and the co-occurrence relations model the normal behavioral baseline of an application. We compute an anomaly score for tested traces and compare it against a threshold for anomaly detection. We evaluate the baseline by experimenting with its ability to discriminate between different processes and detect malicious behavior.",
keywords = "Anomaly detection, Behavioral baseline, Intrusion detection system, Intrusion resilience, Kernel monitoring",
author = "Fawaz, {Ahmed M.} and Sanders, {William H.}",
year = "2017",
month = "5",
day = "5",
doi = "10.1109/PRDC.2017.28",
language = "English (US)",
series = "Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC",
publisher = "IEEE Computer Society",
pages = "145--154",
editor = "Masato Kitakami and Kim, {Dong Seong} and Vijay Varadharajan",
booktitle = "Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017",

}

TY - GEN

T1 - Learning process behavioral baselines for anomaly detection

AU - Fawaz, Ahmed M.

AU - Sanders, William H.

PY - 2017/5/5

Y1 - 2017/5/5

N2 - Intrusion resilience is a protection strategy aimed at building systems that can continue to provide service during attacks. One approach to intrusion resilience is to continuously monitor a system's state and change its configuration to maintain service even while attacks are occurring. Intrusion detection, through both anomaly detection (for unknown attacks) and signature detection (for known attacks) is thus a crucial part of that resilience strategy. In this paper, we introduce KOBRA, an online anomaly detection engine that learns behavioral baselines for applications. KOBRA is implemented as a set of cooperative kernel modules that collects time-stamped process events. The process events are converted to a discrete-time signal in the polar space. We learn local patterns that occur in the data and then learn the normal co-occurrence relationships between the patterns. The patterns and the co-occurrence relations model the normal behavioral baseline of an application. We compute an anomaly score for tested traces and compare it against a threshold for anomaly detection. We evaluate the baseline by experimenting with its ability to discriminate between different processes and detect malicious behavior.

AB - Intrusion resilience is a protection strategy aimed at building systems that can continue to provide service during attacks. One approach to intrusion resilience is to continuously monitor a system's state and change its configuration to maintain service even while attacks are occurring. Intrusion detection, through both anomaly detection (for unknown attacks) and signature detection (for known attacks) is thus a crucial part of that resilience strategy. In this paper, we introduce KOBRA, an online anomaly detection engine that learns behavioral baselines for applications. KOBRA is implemented as a set of cooperative kernel modules that collects time-stamped process events. The process events are converted to a discrete-time signal in the polar space. We learn local patterns that occur in the data and then learn the normal co-occurrence relationships between the patterns. The patterns and the co-occurrence relations model the normal behavioral baseline of an application. We compute an anomaly score for tested traces and compare it against a threshold for anomaly detection. We evaluate the baseline by experimenting with its ability to discriminate between different processes and detect malicious behavior.

KW - Anomaly detection

KW - Behavioral baseline

KW - Intrusion detection system

KW - Intrusion resilience

KW - Kernel monitoring

UR - http://www.scopus.com/inward/record.url?scp=85019647269&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85019647269&partnerID=8YFLogxK

U2 - 10.1109/PRDC.2017.28

DO - 10.1109/PRDC.2017.28

M3 - Conference contribution

AN - SCOPUS:85019647269

T3 - Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC

SP - 145

EP - 154

BT - Proceedings - 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing, PRDC 2017

A2 - Kitakami, Masato

A2 - Kim, Dong Seong

A2 - Varadharajan, Vijay

PB - IEEE Computer Society

ER -