Model-based Cluster Analysis for Identifying Suspicious Activity Sequences in Software

Hemank Lamba, Thomas J. Glazier, J. Cámara, B. Schmerl, D. Garlan, J. Pfeffer
{"title":"Model-based Cluster Analysis for Identifying Suspicious Activity Sequences in Software","authors":"Hemank Lamba, Thomas J. Glazier, J. Cámara, B. Schmerl, D. Garlan, J. Pfeffer","doi":"10.1145/3041008.3041014","DOIUrl":null,"url":null,"abstract":"Large software systems have to contend with a significant number of users who interact with different components of the system in various ways. The sequences of components that are used as part of an interaction define sets of behaviors that users have with the system. These can be large in number. Among these users, it is possible that there are some who exhibit anomalous behaviors -- for example, they may have found back doors into the system and are doing something malicious. These anomalous behaviors can be hard to distinguish from normal behavior because of the number of interactions a system may have, or because traces may deviate only slightly from normal behavior. In this paper we describe a model-based approach to cluster sequences of user behaviors within a system and to find suspicious, or anomalous, sequences. We exploit the underlying software architecture of a system to define these sequences. We further show that our approach is better at detecting suspicious activities than other approaches, specifically those that use unigrams and bigrams for anomaly detection. We show this on a simulation of a large scale system based on Amazon Web application style architecture.","PeriodicalId":137012,"journal":{"name":"Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics","volume":"94 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3041008.3041014","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 7

Abstract

Large software systems have to contend with a significant number of users who interact with different components of the system in various ways. The sequences of components that are used as part of an interaction define sets of behaviors that users have with the system. These can be large in number. Among these users, it is possible that there are some who exhibit anomalous behaviors -- for example, they may have found back doors into the system and are doing something malicious. These anomalous behaviors can be hard to distinguish from normal behavior because of the number of interactions a system may have, or because traces may deviate only slightly from normal behavior. In this paper we describe a model-based approach to cluster sequences of user behaviors within a system and to find suspicious, or anomalous, sequences. We exploit the underlying software architecture of a system to define these sequences. We further show that our approach is better at detecting suspicious activities than other approaches, specifically those that use unigrams and bigrams for anomaly detection. We show this on a simulation of a large scale system based on Amazon Web application style architecture.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
基于模型的聚类分析识别软件中可疑活动序列
大型软件系统必须应对大量用户,这些用户以各种方式与系统的不同组件进行交互。作为交互的一部分使用的组件序列定义了用户对系统的行为集。它们的数量可能很大。在这些用户中,可能有一些人表现出异常行为——例如,他们可能发现了进入系统的后门,并正在做一些恶意的事情。这些异常行为很难从正常行为中区分出来,因为系统可能有很多相互作用,或者因为痕迹可能只与正常行为有轻微的偏离。在本文中,我们描述了一种基于模型的方法来聚类系统内的用户行为序列,并发现可疑或异常的序列。我们利用系统的底层软件架构来定义这些序列。我们进一步表明,我们的方法在检测可疑活动方面比其他方法更好,特别是那些使用一元图和双元图进行异常检测的方法。我们在一个基于Amazon Web应用程序风格架构的大型系统的模拟中展示了这一点。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Analysis of Causative Attacks against SVMs Learning from Data Streams EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning Non-interactive (t, n)-Incidence Counting from Differentially Private Indicator Vectors Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data MCDefender: Toward Effective Cyberbullying Defense in Mobile Online Social Networks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1