nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

Designing Anomaly Detection System for Cloud Servers by Frequency Domain Features of System Call Identifiers and Machine Learning

verfasst von : Waqas Haider, Jiankun Hu, Nour Moustafa

Erschienen in: Mobile Networks and Management

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The protection of operating systems from the current cyber threats has paramount importance. This importance is reflected by the functional dependency of any known or unknown cyber-attack upon the machines operating system. In order to design an anomaly detection system to protect an operating system from unknown attacks, acquiring comprehensive information related to running activities is the first crucial step. System call identifiers are one of the most reflective logs related to running activities in an operating system. Number of system call identifiers based host anomaly detection systems have been presented from the last two decades by using logs as raw system call identifiers. However, due to the stealth and penetration power of the unknown attacks, there is a need of acquiring and investigating more possible logs from machines operating system for the reliable protection. In this paper, firstly we apply the sine and Fourier transformation to the short sequence of system call identifiers, in order to model the frequency domain feature vector of any running activity at the cloud server. Second, different machine learning algorithms are trained and tested as anomaly detection engine using frequency domain transformed feature vectors of the short sequence of system call identifiers. The proposed work is evaluated using recently released intrusion detection systems data-set i.e., NGIDS-DS alongside two other old data-sets for comparative purposes. The experimental results indicate that the frequency domain feature vectors of short sequence of system call identifiers have comparatively superior performance than raw short sequence of system call identifiers, in detecting anomalies and building normal profile.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel A Robust Contactless Fingerprint Enhancement Algorithm

Nächstes Kapitel A Variant of BLS Signature Scheme with Tight Security Reduction

Pabla, I., Khalil, I., Hu, J.: Intranet security via firewalls. In: Stavroulakis, P., Stamp, M. (eds.) Handbook of Information and Communication Security, pp. 207–219. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-04117-4_11CrossRef

Wang, H., Zhang, Y., Cao, J.: Access control management for ubiquitous computing. Future Gener. Comput. Syst. 24(8), 870–878 (2008)CrossRef

Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: Military Communications and Information Systems Conference (MilCIS), pp. 1–6. IEEE (2015)

Wang, Y., Wen, S., Xiang, Y., Zhou, W.: Modeling the propagation of worms in networks: a survey. IEEE Commun. Surv. Tutor. 16(2), 942–960 (2014)CrossRef

Moustafa, N., Slay, J.: The significant features of the UNSW-NB15 and the KDD99 data sets for network intrusion detection systems. In: 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 25–31. IEEE (2015)

Cesare, S., Xiang, Y., Zhou, W.: Malwisean effective and efficient classification system for packed and polymorphic malware. IEEE Trans. Comput. 62(6), 1193–1206 (2013)MathSciNetCrossRef

Rudd, E., Rozsa, A., Gunther, M., Boult, T.: A survey of stealth malware: attacks, mitigation measures, and steps toward autonomous open world solutions. IEEE Commun. Surv. Tutor. 19(2), 1145–1172 (2017)CrossRef

Moustaf, N., Slay, J.: Creating novel features to anomaly network detection using DARPA-2009 data set. In: Proceedings of the 14th European Conference on Cyber Warfare and Security, p. 204. Academic Conferences Limited (2015)

Ficco, M., Palmieri, F.: Introducing fraudulent energy consumption in cloud infrastructures: a new generation of denial-of-service attacks. IEEE Syst. J. 11(2), 460–470 (2017)CrossRef

10.

Kumarage, H., Khalil, I., Tari, Z., Zomaya, A.: Distributed anomaly detection for industrial wireless sensor networks based on fuzzy data modelling. J. Parallel Distrib. Comput. 73(6), 790–806 (2013)CrossRef

11.

Kumarage, H., Khalil, I., Tari, Z.: Granular evaluation of anomalies in wireless sensor networks using dynamic data partitioning with an entropy criteria. IEEE Trans. Comput. 64(9), 2573–2585 (2015)MathSciNetCrossRef

12.

Alabdulatif, A., Kumarage, H., Khalil, I., Yi, X.: Privacy-preserving anomaly detection in cloud with lightweight homomorphic encryption. J. Comput. Syst. Sci. 90, 28–45 (2017)MathSciNetCrossRef

13.

Haider, W., Hu, J., Xie, Y., Yu, X., Wu, Q.: Detecting anomalous behavior in cloud servers by nested arc hidden SEMI-Markov model with state summarization. IEEE Trans. Big Data (2017)

14.

Rittinghouse, J.W., Ransome, J.F.: Cloud Computing: Implementation, Management, and Security. CRC Press, Boca Raton (2016)

15.

Zissis, D., Lekkas, D.: Addressing cloud computing security issues. Future Gener. Comput. Syst. 28(3), 583–592 (2012)CrossRef

16.

Haider, W., Hu, J., Xie, M.: Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems. In: 2015 IEEE 10th Conference on Industrial Electronics and Applications (ICIEA), pp. 513–517. IEEE (2015)

17.

Haider, W., Hu, J., Yu, X., Xie, Y.: Integer data zero-watermark assisted system calls abstraction and normalization for host based anomaly detection systems. In: 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 349–355. IEEE (2015)

18.

Taddeo, M., Glorioso, L.: Ethics and Policies for Cyber Operations: A NATO Cooperative Cyber Defence Centre of Excellence Initiative, vol. 124. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-45300-2CrossRef

19.

Herpig, S.: Anti-war era: the need for proactive cyber security. In: Felici, M. (ed.) CSP 2013. CCIS, vol. 182, pp. 165–176. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41205-9_14CrossRef

20.

Haider, W., Hu, J., Slay, J., Turnbull, B., Xie, Y.: Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling. J. Netw. Comput. Appl. 87, 185–192 (2017)CrossRef

21.

Toh, K.-A., Tan, G.-C.: Exploiting the relationships among several binary classifiers via data transformation. Pattern Recogn. 47(3), 1509–1522 (2014)CrossRef

22.

Toh, K.-A.: Training a reciprocal-sigmoid classifier by feature scaling-space. Mach. Learn. 65(1), 273–308 (2006)MathSciNetCrossRef

23.

Tran, Q.-L., Toh, K.-A., Srinivasan, D., Wong, K.-L., Low, S.Q.-C.: An empirical comparison of nine pattern classifiers. IEEE Trans. Syst. Man Cybern. Part B (Cybern.) 35(5), 1079–1091 (2005)CrossRef

24.

Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)CrossRef

25.

Haider, W., Creech, G., Xie, Y., Hu, J.: Windows based data sets for evaluation of robustness of host based intrusion detection systems (IDS) to zero-day and stealth attacks. Future Internet 8(3), 29 (2016)CrossRef

26.

Creech, G., Hu, J.: A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns. IEEE Trans. Comput. 63(4), 807–819 (2014)MathSciNetCrossRef

27.

Cho, S.-B., Park, H.-J.: Efficient anomaly detection by modeling privilege flows using hidden Markov model. Comput. Secur. 22(1), 45–55 (2003)CrossRef

28.

Murtaza, S.S., Khreich, W., Hamou-Lhadj, A., Gagnon, S.: A trace abstraction approach for host-based anomaly detection. In: IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA), pp. 1–8. IEEE (2015)

29.

Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of 1996 IEEE Symposium on Security and Privacy, pp. 120–128. IEEE (1996)

30.

Kosoresow, A.P., Hofmeyer, S.: Intrusion detection via system call traces. IEEE Softw. 14(5), 35–42 (1997)CrossRef

31.

Moustafa, N., Slay, J., Creech, G.: Novel geometric area analysis technique for anomaly detection using trapezoidal area estimation on large-scale networks. IEEE Trans. Big Data (2017)

32.

Ghosh, A.K., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Workshop on Intrusion Detection and Network Monitoring, vol. 51462, pp. 1–13 (1999)

33.

Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Barbará, D., Jajodia, S. (eds.) Applications of Data Mining in Computer Security, vol. 6, pp. 77–102. Springer, Boston (2002). https://doi.org/10.1007/978-1-4615-0953-0_4CrossRef

34.

Hoang, X., Hu, J.: An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls. In: Proceedings of 12th IEEE International Conference on Networks, (ICon 2004), vol. 2, pp. 470–474. IEEE (2004)

35.

Hu, J., Yu, X., Qiu, D., Chen, H.-H.: A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection. IEEE Netw. 23(1), 42–47 (2009)CrossRef

36.

Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Dependable Secure Comput. 7(4), 381–395 (2010)CrossRef

37.

Silic, M., Back, A.: Open source software adoption: lessons from linux in munich. IT Prof. 19(1), 42–47 (2017)CrossRef

38.

Creech, G.: Developing a high-accuracy cross platform host-based intrusion detection system capable of reliably detecting zero-day attacks. Ph.D. dissertation, University of New South Wales, Canberra, Australia (2014)

39.

Bracewell, R.N., Bracewell, R.N.: The Fourier Transform and Its Applications, vol. 31999. McGraw-Hill, New York (1986)MATH

40.

Moustafa, N., Creech, G., Slay, J.: Big data analytics for intrusion detection system: statistical decision-making using finite dirichlet mixture models. In: Palomares Carrascosa, I., Kalutarage, H.K., Huang, Y. (eds.) Data Analytics and Decision Support for Cybersecurity. DA, pp. 127–156. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59439-2_5CrossRef

41.

Huang, G.-B., Zhu, Q.-Y., Siew, C.-K.: Extreme learning machine: theory and applications. Neurocomputing 70(1), 489–501 (2006)CrossRef

42.

Creech, G., Hu, J.: Generation of a new IDS test dataset: time to retire the KDD collection. In: 2013 IEEE Wireless Communications and Networking Conference (WCNC), pp. 4487–4492. IEEE (2013)

43.

KDD98 (1988). http://www.ll.mit.edu/mission/communications/

44.

Davis, J., Magrath, S.: A survey of cyber ranges and testbeds. Defence Science and Technology Organisation Edinburgh (Australia) Cyber and Electronic Warfare Division, Technical report (2013)

45.

Xing, Z., Pei, J., Keogh, E.: A brief survey on sequence classification. ACM SIGKDD Explor. Newsl. 12(1), 40–48 (2010)CrossRef

46.

Justino, E.J., Bortolozzi, F., Sabourin, R.: A comparison of SVM and HMM classifiers in the off-line signature verification. Pattern Recogn. Lett. 26(9), 1377–1385 (2005)CrossRef

47.

Vong, C.-M., Ip, W.-F., Wong, P.-K., Chiu, C.-C.: Predicting minority class for suspended particulate matters level by extreme learning machine. Neurocomputing 128, 136–144 (2014)CrossRef

Titel: Designing Anomaly Detection System for Cloud Servers by Frequency Domain Features of System Call Identifiers and Machine Learning
verfasst von: Waqas Haider
Jiankun Hu
Nour Moustafa
Verlag: Springer International Publishing
Buch: Mobile Networks and Management
Print ISBN: 978-3-319-90774-1

Electronic ISBN: 978-3-319-90775-8

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-319-90775-8_12

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"