Computer Science

Computer Science ›› 2022, Vol. 49 ›› Issue (6): 350-355.doi: 10.11896/jsjkx.210500031

• Information Security • Previous Articles     Next Articles

Anomaly Detection Framework of System Call Trace Based on Sequence and Frequency Patterns

WEI Hui, CHEN Ze-mao, ZHANG Li-qiang   

  1. Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,China
  • Received:2021-05-07 Revised:2021-07-30 Online:2022-06-15 Published:2022-06-08
  • About author:WEI Hui,born in 1998,postgraduate.His main research interests include network security and deep learning.
    CHEN Ze-mao,born in 1975,Ph.D,professor.His main research interests include information system security,trusted computing and equipment information security.
  • Supported by:
    Key R & D Projects of Hubei Province(2020BAA001).

PDF (PC)

481

Abstract: The existing system call-based anomaly intrusion detection methods can’t accurately describe the behavior of the process by a single trace pattern.In this paper,the process behavior is modeled based on the sequence and frequency patterns of system call trace,and a data-driven anomaly detection framework is designed.The framework could detect both sequential and quantitative anomalies of the system call trace simultaneously.With the help of combinational window mechanism,the framework could realize offline fine-grained learning and online anomaly real-time detection by meeting different requirements of offline trai-ning and online detection for extracting trace information.Performance comparison experiments of unknown anomalies detection are conducted on the ADFA-LD intrusion detection standard dataset.The results show that,compared with the four traditional machine learning methods and four deep learning methods,the comprehensive detection performance of the framework improves by about 10%.

Key words: Deep neural network, Host-based intrusion detection systems, Long and short-term memory neural network, System calls

CLC Number: 

  • TP393
[1] MORA-GIMENOF J,MORA-MORA H.Intrusion DetectionSystem Based on Integrated System Calls Graph and Neural Networks[J].IEEE Access,2021(9):9822-9833.
[2] LIU M,XUE Z,XU X,et al.Host-Based Intrusion DetectionSystem with System Calls:Review and Future Trends[J].ACM Computing Surveys,2018,51(5):98-136.
[3] CHEN X S,CHEN J X,JIN X,et al.Process Abnormal Detection Based on System Call Vector Space in Cloud Computing Environments[J].Journal of Computer Research and Development,2019,56(12):2684-2693.
[4] CHEN X S,JIN Y L,WANG Y L,et al.Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network[J].Acta Electronica Sinica,2021,49(1):149-156.
[5] SUN P,LIU P,LI Q,et al.DL-IDS:Extracting Features Using CNN-LSTM Hybrid Network for Intrusion Detection System[J].Security and Communication Networks,2020,5(55):639-652.
[6] CHAWL A,LEE B,FALLON S,et al.Host Based Intrusion Detection System with Combined CNN/RNN Model[C]//ECML PKDD 2018 Workshops.Lecture Notes in Computer Science.Cham:Springer,2019:149-158.
[7] FORREST S,HOFMEVRS A,SOMAYAJI A,et al.A sense of self for Unix processes[C]//Proceedings of IEEE Symposium on Security and Privacy.Oakland:IEEE press,1996:120-128.
[8] DING Y X,YUAN X B,ZHOU D,et al.Feature representation and selection in malicious code detection methods based on static system calls[J].Computers & Security,2011,30(6):514-524.
[9] JOHNSON R,TONG Z.Learning Nonlinear Functions Using Regularized Greedy Forest[J].IEEE Transactions Pattern Analysis and Machine Intelligence,2014,36(5):942-954.
[10] WEAL K,SYED S M,ABEDL H L,et al.Combining heterogeneous anomaly detectors for improved software security[J].Journal of Systems and Software,2017,137(MAR.):415-429.
[11] DARREN M,FREDRIK V,GIOVANNI K,et al.Anomaloussystem call detection[C]//ACM Transactions on Information and System Security.2006:61-93.
[12] CREECH G,HU J.A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguous and Discontinuous System Call Patterns[J].IEEE Transactions on Computers,2014,63(4):807-819.
[13] XIE M,HU J,YU X,et al.Evaluating Host-Based Anomaly Detection Systems:Application of the Frequency-Based Algorithms to ADFA-LD[C]//Network and System Security.Cham:Springer,2015:542-549.
[14] SANJEEV D,YANG L,WEI Z,et al.Semantics-based onlinemalware detection:Towards efficient real-time protection against malware[J].IEEE Transaction on Information Forensics and Security,2016,11(2):289-302.
[15] LV S H,JIAN W,YANG Y Q,et al.Intrusion prediction with system-call sequence-to-sequence model[J].IEEE Access,2018(6):71413-71421.
[16] KOLOSNJAII B,ZARRAS A,WEBSTER G,et al.Deep Lear-ning for Classification of Malware System Call Sequences[C]//Advances in Artificial Intelligence.Cham:Springer,2016:137-149.
[17] ZHAN J,TONG Y,XU M D,et al.A Method for Data Collection and Real-Time Anomaly Detection of Lightweight Hosts[J].Journal of Xi’an Jiaotong University,2017,51(4):97-102.
[18] XU L F,ZHANG D P,ALVAREZ M A,et al.Dynamic android malware classification using graph-based re-presentations[C]//IEEE International Conference on Cyber Security and Cloud Computing.IEEE.2016:220-331.
[19] WUNDERLICH S,RING M,LANDES D,et al.Comparison of System Call Representations for Intrusion Detection[C]//Computational Intelligence in Security for Information Systems and International Conference on European Transnational Education.Cham:Springer,2019:14-24.
[20] HOCHREITER S,SCHMIDHUBER J.Long Short-Term Me-mory[J].Neural Computation,1997,9(8):1735-1780.
[21] CREECH G,HU J.Generation of a new IDS test dataset:Time to retire the KDD collection[C]//IEEE Wireless Communications and Networking Conference (WCNC).2013:4487-4492.
[1] GAO Jie, LIU Sha, HUANG Ze-qiang, ZHENG Tian-yu, LIU Xin, QI Feng-bin. Deep Neural Network Operator Acceleration Library Optimization Based on Domestic Many-core Processor [J]. Computer Science, 2022, 49(5): 355-362.
[2] JIAO Xiang, WEI Xiang-lin, XUE Yu, WANG Chao, DUAN Qiang. Automatic Modulation Recognition Based on Deep Learning [J]. Computer Science, 2022, 49(5): 266-278.
[3] FAN Hong-jie, LI Xue-dong, YE Song-tao. Aided Disease Diagnosis Method for EMR Semantic Analysis [J]. Computer Science, 2022, 49(1): 153-158.
[4] ZHOU Xin, LIU Shuo-di, PAN Wei, CHEN Yuan-yuan. Vehicle Color Recognition in Natural Traffic Scene [J]. Computer Science, 2021, 48(6A): 15-20.
[5] LIU Dong, WANG Ye-fei, LIN Jian-ping, MA Hai-chuan, YANG Run-yu. Advances in End-to-End Optimized Image Compression Technologies [J]. Computer Science, 2021, 48(3): 1-8.
[6] MA Lin, WANG Yun-xiao, ZHAO Li-na, HAN Xing-wang, NI Jin-chao, ZHANG Jie. Network Intrusion Detection System Based on Multi-model Ensemble [J]. Computer Science, 2021, 48(11A): 592-596.
[7] PAN Yu, ZOU Jun-hua, WANG Shuai-hui, HU Gu-yu, PAN Zhi-song. Deep Community Detection Algorithm Based on Network Representation Learning [J]. Computer Science, 2021, 48(11A): 198-203.
[8] LIU Tian-xing, LI Wei, XU Zheng, ZHANG Li-hua, QI Xiao-ya, GAN Zhong-xue. Monte Carlo Tree Search for High-dimensional Continuous Control Space [J]. Computer Science, 2021, 48(10): 30-36.
[9] ZHANG Yan-mei, LOU Yin-cheng. Deep Neural Network Based Ponzi Scheme Contract Detection Method [J]. Computer Science, 2021, 48(1): 273-279.
[10] DING Zi-ang, LE Cao-wei, WU Ling-ling and FU Ming-lei. PM2.5 Concentration Prediction Method Based on CEEMD-Pearson and Deep LSTM Hybrid Model [J]. Computer Science, 2020, 47(6A): 444-449.
[11] SHANG Jun-yuan, YANG Le-han, HE Kun. Analyzing Latent Representation of Deep Neural Networks Based on Feature Visualization [J]. Computer Science, 2020, 47(5): 190-197.
[12] TANG Guo-qiang,GAO Da-qi,RUAN Tong,YE Qi,WANG Qi. Clinical Electronic Medical Record Named Entity Recognition Incorporating Language Model and Attention Mechanism [J]. Computer Science, 2020, 47(3): 211-216.
[13] FAN Wei, LIU Ting, HUANG Rui, GUO Qing, ZHANG Bao. Low-level CNN Feature Aided Image Instance Segmentation [J]. Computer Science, 2020, 47(11): 186-191.
[14] KONG Fan-yu, ZHOU Yu-feng, CHEN Gang. Traffic Flow Prediction Method Based on Spatio-Temporal Feature Mining [J]. Computer Science, 2019, 46(7): 322-326.
[15] XIAO Rui, JIANG Jia-qi, ZHANG Yun-chun. Study on Semantic Topology and Supervised Word Sense Disambiguation of Polysemous Words [J]. Computer Science, 2019, 46(11A): 13-18.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.