Automated monitoring and debugging of large scale manycore heterogeneous systems - HIDS

An Improved Hidden Markov Model for Anomaly Detection Using Frequent Common Patterns

ahamou-lhadj — Wed, 13 Nov 2013 22:43:51 +0000

A. Sultana, A. Hamou-Lhadj, M. Couture, "An Improved Hidden Markov Model for Anomaly Detection Using Frequent Common Patterns", The IEEE International Conference on Communications (ICC’12), Communication and Information Systems Security Symposium, Ottawa, ON, 2012.

Host-based intrusion detection techniques are needed to ensure the safety and security of software systems, especially, if these systems handle sensitive data. Most host-based intrusion detection systems involve building some sort of reference models offline, usually from execution traces (in the absence of the source code), to characterize the system healthy behavior. The models can later be used as a baseline for online detection of abnormal behavior. Perhaps the most popular techniques are the ones based on the use of Hidden Markov Models (HMM). These techniques, however, require long training time of the models, which makes them computationally infeasible, the main reason being the large size of typical traces, often millions of lines long. In this paper, we propose an improved HMM using the concept of frequent common patterns. In other words, we build models based on extracting the largest n-grams (patterns) in the traces instead of taking each trace event on its own. We show through a case study that our approach can reduce the training time by 31.96%-48.44% compared to the original HMM algorithms while keeping almost the same accuracy rate.

A Host-based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules

ahamou-lhadj — Wed, 13 Nov 2013 22:29:02 +0000

S. S. Murtaza, W. Khreich, A. Hamou-Lhadj, M. Couture , "A Host-based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules," In Proc. of the 24th IEEE International Symposium on Software Reliability Engineering (ISSRE), Pasadena, CA, USA, 2013.

Despite over two decades of research, high false alarm rates, large trace sizes and high processing times remain among the key issues in host-based anomaly intrusion detection systems. In an attempt to reduce the false alarm rate and processing time while increasing the detection rate, this paper presents a novel anomaly detection technique based on semantic interactions of system calls. The key concept is to represent system calls as states of kernel modules, analyze the state interactions, and identify anomalies by comparing the probabilities of occurrences of states in normal and anomalous traces. In addition, the proposed technique allows a visual understanding of system behaviour, and hence a more informed decision making. We evaluated this technique on Linux based programs of UNM datasets and a new modern Firefox dataset. We created the Firefox dataset on Linux using contemporary test suites and hacking techniques. The results show that our technique yields fewer false alarms and can handle large traces with smaller (or comparable) processing times compared against the existing techniques for the host based anomaly intrusion detection systems.

Automated monitoring and debugging of large scale manycore heterogeneous systems - HIDS

An Improved Hidden Markov Model for Anomaly Detection Using Frequent Common Patterns

Tags:

A Host-based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules

Tags: