基于系统调用分析的多隐马尔可夫模型改进异常检测

2019 IEEE Bombay Section Signature Conference (IBSSC) Pub Date : 2019-07-01 DOI:10.1109/IBSSC47189.2019.8973098

Shraddha Suratkar, F. Kazi, R. Gaikwad, Akshay Shete, Raj Kabra, Shantanu Khirsagar

{"title":"基于系统调用分析的多隐马尔可夫模型改进异常检测","authors":"Shraddha Suratkar, F. Kazi, R. Gaikwad, Akshay Shete, Raj Kabra, Shantanu Khirsagar","doi":"10.1109/IBSSC47189.2019.8973098","DOIUrl":null,"url":null,"abstract":"Intrusion Detection systems are used for detecting attacks on a system. The host-based intrusion detection system (HIDS) detect the ongoing attacks on a Host system. HIDS model is proposed using System Call Analysis consisting of two modules, an Anomaly Detection module and a Multi-HMM module for state prediction. Anomaly Detection module uses Long Short-term memory (LSTM) architecture, a special type of Recurrent Neural Network, for detection of anomalies in system call traces. It models the normal behaviour of the system using system call patterns which enables it to detect even ‘Zero-day’ attacks. The State prediction module is based on Multiple Hidden Markov Model (Multi-HMM), in which each HMM model a known attack. It takes a sequence of system calls as input and predicts next ‘N’ most probable system calls during the attack. After performing a number of experiments, results show that the model has high recognition rate and low false alarm rate.","PeriodicalId":148941,"journal":{"name":"2019 IEEE Bombay Section Signature Conference (IBSSC)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Multi Hidden Markov Models for Improved Anomaly Detection Using System Call Analysis\",\"authors\":\"Shraddha Suratkar, F. Kazi, R. Gaikwad, Akshay Shete, Raj Kabra, Shantanu Khirsagar\",\"doi\":\"10.1109/IBSSC47189.2019.8973098\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Intrusion Detection systems are used for detecting attacks on a system. The host-based intrusion detection system (HIDS) detect the ongoing attacks on a Host system. HIDS model is proposed using System Call Analysis consisting of two modules, an Anomaly Detection module and a Multi-HMM module for state prediction. Anomaly Detection module uses Long Short-term memory (LSTM) architecture, a special type of Recurrent Neural Network, for detection of anomalies in system call traces. It models the normal behaviour of the system using system call patterns which enables it to detect even ‘Zero-day’ attacks. The State prediction module is based on Multiple Hidden Markov Model (Multi-HMM), in which each HMM model a known attack. It takes a sequence of system calls as input and predicts next ‘N’ most probable system calls during the attack. After performing a number of experiments, results show that the model has high recognition rate and low false alarm rate.\",\"PeriodicalId\":148941,\"journal\":{\"name\":\"2019 IEEE Bombay Section Signature Conference (IBSSC)\",\"volume\":\"23 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-07-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 IEEE Bombay Section Signature Conference (IBSSC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IBSSC47189.2019.8973098\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Bombay Section Signature Conference (IBSSC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IBSSC47189.2019.8973098","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

摘要

入侵检测系统用于检测对系统的攻击。基于主机的入侵检测系统(HIDS)对主机系统进行攻击检测。提出了基于系统调用分析的HIDS模型，该模型由两个模块组成:异常检测模块和用于状态预测的Multi-HMM模块。异常检测模块采用一种特殊的递归神经网络LSTM (Long - Short-term memory)架构来检测系统调用轨迹中的异常。它使用系统调用模式模拟系统的正常行为，使其能够检测甚至“零日”攻击。状态预测模块基于多重隐马尔可夫模型(Multi-HMM)，其中每个隐马尔可夫模型都有一个已知的攻击。它将一系列系统调用作为输入，并在攻击期间预测下一个“N”个最可能的系统调用。经过多次实验，结果表明该模型具有较高的识别率和较低的虚警率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Multi Hidden Markov Models for Improved Anomaly Detection Using System Call Analysis

Intrusion Detection systems are used for detecting attacks on a system. The host-based intrusion detection system (HIDS) detect the ongoing attacks on a Host system. HIDS model is proposed using System Call Analysis consisting of two modules, an Anomaly Detection module and a Multi-HMM module for state prediction. Anomaly Detection module uses Long Short-term memory (LSTM) architecture, a special type of Recurrent Neural Network, for detection of anomalies in system call traces. It models the normal behaviour of the system using system call patterns which enables it to detect even ‘Zero-day’ attacks. The State prediction module is based on Multiple Hidden Markov Model (Multi-HMM), in which each HMM model a known attack. It takes a sequence of system calls as input and predicts next ‘N’ most probable system calls during the attack. After performing a number of experiments, results show that the model has high recognition rate and low false alarm rate.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2019 IEEE Bombay Section Signature Conference (IBSSC)

自引率

0.00%

发文量