Computer Science

Computer Science ›› 2024, Vol. 51 ›› Issue (7): 380-388.doi: 10.11896/jsjkx.230400023

• Information Security • Previous Articles     Next Articles

Host Anomaly Detection Framework Based on Multifaceted Information Fusion of SemanticFeatures for System Calls

FAN Yi, HU Tao, YI Peng   

  1. Information Technology Institute,Information Engineering University,Zhengzhou 450002,China
  • Received:2023-04-05 Revised:2023-08-01 Online:2024-07-15 Published:2024-07-10
  • About author:FAN Yi,born in 1998,postgraduate.His main research interest is host anomaly detection.
    HU Tao,born in 1993,Ph.D,assistant researcher.His main research interests include new network architecture and active cyber defense.
  • Supported by:
    National Natural Science Foundation of China(62176264).

PDF (PC)

403

Abstract: Obfuscation attack can bypass the detection of host security protection mechanism on the premise of achieving the same attack effect by modifying the system call sequence generated by the process running.The existing system call-based host anomaly detection methods cannot effectively detect the modified system call sequence after obfuscation attacks.This paper proposes a host anomaly detection method based on the fusion of multiple semantic information of system call.This method starts with the multiple semantic information of the system call sequence,fully mining the deep semantic information of the system call sequence through the system call semantic information abstraction and the system call semantic feature extraction,and uses the multi-channel TextCNN to realize the fusion of multiple information for anomaly detection.Semantic abstraction of system call can realize the mapping of specific system call to its type and shield the influence of specific system call change on detection effect by extracting sequence abstract semantic information.The system call semantic feature extraction uses the attention mechanism to obtain the key semantic features that represent the sequence behavior pattern.Experimental results on ADFA-LD dataset show that the false alarm rate of this method for detecting general host anomaly is lower than 2.2%,and the F1 score reaches 0.980.The false alarm rate of detecting the confusion attack is lower than 2.8%,and the F1 score reaches 0.969.Is detection performance is better than that of other methods.

Key words: Host anomaly detection, System call semantic information fusion, Obfuscation attack, Deep learning, Attention mechanism

CLC Number: 

  • TP309
[1]ROSENBERG I,GUDES E.Bypassing system calls-based intrusion detection systems[J].Concurrency and Computation:Practice and Experience,2017,29(16):e4023.
[2]TONG F,YAN Z.A hybrid approach of mobile malware detection in Android[J].Journal of Parallel and Distributed Computing,2017,103:22-31.
[3]KHATER B S,WAHAB A W B A,IDRIS M Y I B,et al.A lightweight perceptron-based intrusion detection system for fog computing[J].Applied Sciences,2019,9(1):178-199.
[4]AGHAEI E,SERPEN G.Ensemble classifier for misuse detection using N-gram feature vectors through operating system call traces[J].International Journal of Hybrid Intelligent Systems,2017,14(3):141-154.
[5]XIE M,HU J,SLAY J.Evaluating host-based anomaly detection systems:Application of the one-class SVM algorithm to ADFA-LD[C]//2014 11th International Conference on Fuzzy Systems and Knowledge Discovery(FSKD).IEEE,2014:978-982.
[6]DAS P K,JOSHI A,FININ T.App behavioral analysis usingsystem calls[C]//2017 IEEE Conference on Computer Communications Workshops(INFOCOM WKSHPS).IEEE,2017:487-492.
[7]KIM Y.Convolutional Neural Networks for Sentence Classification[C]//Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing(EMNLP).Association for Computational Linguistics,2014:1746-1751.
[8]FORREST S,HOFMEYR S A,SOMAYAJI A,et al.A sense of self for unix processes[C]//Proceedings 1996 IEEE symposium on security and privacy.IEEE,1996:120-128.
[9]CREECH G,HU J.A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns[J].IEEE Transactions on Computers,2013,63(4):807-819.
[10]MURTAZA S S,KHREICH W,HAMOU-LHADJ A,et al.A trace abstraction approach for host-based anomaly detection[C]//2015 IEEE Symposium on Computational Intelligence for Security and Defense Applications(CISDA).IEEE,2015:1-8.
[11]KHREICH W,KHOSRAVIFAR B,HAMOU-LHADJ A,et al.An anomaly detection system based on variable N-gram features and one-class SVM[J].Information and Software Technology,2017,91:186-197.
[12]JIANG G,CHEN H,UNGUREANU C,et al.Multiresolution abnormal trace detection using varied-Length n-grams and automata[J].IEEE Transactions on Systems,Man,and Cyberne-tics,Part C(Applications and Reviews),2006,37(1):86-97.
[13]CHEN Z L,YI P,CHEN X,et al.Real-time Anomaly Detection Framework via System Calls Based on Integrated Learning[J].Computer Engineering,2023,49(6):162-169,179.
[14]LIAO Y,VEMURI V R.Use of k-nearest neighbor classifier for intrusion detection[J].Computers & Security,2002,21(5):439-448.
[15]XIE M,HU J,YU X,et al.Evaluating host-based anomaly detection systems:Application of the frequency-based algorithms to ADFA-LD[C]//Network and System Security:8th International Conference(NSS 2014).Xi'an,China,Springer International Publishing,2014:542-549.
[16]LIU Z,JAPKOWICZ N,WANG R,et al.A statistical patternbased feature extraction method on system call traces for ano-maly detection[J].Information and Software Technology,2020,126:106348.
[17]WAGNER D,SOTO P.Mimicry attacks on host-based intrusion detection systems[C]//Proceedings of the 9th ACM Conference on Computer and Communications Security.2002:255-264.
[18]MING J,XIN Z,LAN P,et al.Replacement attacks:automatically impeding behavior-based malware specifications[C]//13th International Conference on Applied Cryptography and Network Security,ACNS 2015.Springer Verlag,2015:497-517.
[19]LE Q,MIKOLOV T.Distributed representations of sentencesand documents[C]//International Conference on Machine Learning.PMLR,2014:1188-1196.
[20]VASWANI A,SHAZEER N,PARMAR N,et al.Attention isall you need[C]//Proceedings of the 31st International Confe-rence on Neural Information Processing Systems(NIPS'17).Curran Associates Inc.,2017:6000-6010.
[21]CREECH G,HU J.Generation of a new IDS test dataset:Time to retire the KDD collection[C]//2013 IEEE Wireless Communications and Networking Conference(WCNC).IEEE,2013:4487-4492.
[22]XIE M,HU J.Evaluating host-based anomaly detection sys-tems:A preliminary analysis of ADFA-LD[C]//2013 6th International Congress on Image and Signal Processing(CISP).IEEE,2013:1711-1716.
[23]BORISANIYA B,PATEL D.Towards virtual machine intro-spection based security framework for cloud[J].Sādhanā,2019,44:1-15.
[24]SERPEN G,AGHAEI E.Host-based misuse intrusion detection using PCA feature extraction and kNN classification algorithms[J].Intelligent Data Analysis,2018,22(5):1101-1114.
[25]LAI S,XU L,LIU K,et al.Recurrent convolutional neural networks for text classification[C]//Proceedings of the AAAI Conference on Artificial Intelligence.2015:2267-2273.
[1] YANG Heng, LIU Qinrang, FAN Wang, PEI Xue, WEI Shuai, WANG Xuan. Study on Deep Learning Automatic Scheduling Optimization Based on Feature Importance [J]. Computer Science, 2024, 51(7): 22-28.
[2] BAI Wenchao, BAI Shuwen, HAN Xixian, ZHAO Yubo. Efficient Query Workload Prediction Algorithm Based on TCN-A [J]. Computer Science, 2024, 51(7): 71-79.
[3] ZENG Zihui, LI Chaoyang, LIAO Qing. Multivariate Time Series Anomaly Detection Algorithm in Missing Value Scenario [J]. Computer Science, 2024, 51(7): 108-115.
[4] YANG Zhenzhen, WANG Dongtao, YANG Yongpeng, HUA Renyu. Multi-embedding Fusion Based on top-N Recommendation [J]. Computer Science, 2024, 51(7): 140-145.
[5] HU Haibo, YANG Dan, NIE Tiezheng, KOU Yue. Graph Contrastive Learning Incorporating Multi-influence and Preference for Social Recommendation [J]. Computer Science, 2024, 51(7): 146-155.
[6] LI Jiaying, LIANG Yudong, LI Shaoji, ZHANG Kunpeng, ZHANG Chao. Study on Algorithm of Depth Image Super-resolution Guided by High-frequency Information ofColor Images [J]. Computer Science, 2024, 51(7): 197-205.
[7] LOU Zhengzheng, ZHANG Xin, HU Shizhe, WU Yunpeng. Foggy Weather Object Detection Method Based on YOLOX_s [J]. Computer Science, 2024, 51(7): 206-213.
[8] YAN Jingtao, LI Yang, WANG Suge, PAN Bangze. Overlap Event Extraction Method with Language Granularity Fusion Based on Joint Learning [J]. Computer Science, 2024, 51(7): 287-295.
[9] WEI Ziang, PENG Jian, HUANG Feihu, JU Shenggen. Text Classification Method Based on Multi Graph Convolution and Hierarchical Pooling [J]. Computer Science, 2024, 51(7): 303-309.
[10] WANG Xianwei, FENG Xiang, YU Huiqun. Multi-agent Cooperative Algorithm for Obstacle Clearance Based on Deep Deterministic PolicyGradient and Attention Critic [J]. Computer Science, 2024, 51(7): 319-326.
[11] SHI Dianxi, GAO Yunqi, SONG Linna, LIU Zhe, ZHOU Chenlei, CHEN Ying. Deep-Init:Non Joint Initialization Method for Visual Inertial Odometry Based on Deep Learning [J]. Computer Science, 2024, 51(7): 327-336.
[12] GAN Run, WEI Xianglin, WANG Chao, WANG Bin, WANG Min, FAN Jianhua. Backdoor Attack Method in Autoencoder End-to-End Communication System [J]. Computer Science, 2024, 51(7): 413-421.
[13] WANG Yingjie, ZHANG Chengye, BAI Fengbo, WANG Zumin. Named Entity Recognition Approach of Judicial Documents Based on Transformer [J]. Computer Science, 2024, 51(6A): 230500164-9.
[14] ZHU Yuliang, LIU Juntao, RAO Ziyun, ZHANG Yi, CAO Wanhua. Knowledge Reasoning Model Combining HousE with Attention Mechanism [J]. Computer Science, 2024, 51(6A): 230600209-8.
[15] LIANG Fang, XU Xuyao, ZHAO Kailong, ZHAO Xuanfeng, ZHANG Guijun. Remote Template Detection Algorithm and Its Application in Protein Structure Prediction [J]. Computer Science, 2024, 51(6A): 230600225-7.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.