More Web Proxy on the site http://driver.im/

research-article

Behavioural Comparison of Systems for Anomaly Detection

Authors:

Patrick Kochberger,

Stefan SchwandterAuthors Info & Claims

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Article No.: 14, Pages 1 - 10

https://doi.org/10.1145/3230833.3230852

Published: 27 August 2018 Publication History

Abstract

The internet is a bottomless cesspool of malicious software that attacks users and their devices or servers that offer services---on a worldwide scale. A defence against this constant barrage of attacks is difficult. While knowledge of previous attacks helps to prevent some new attacks, a determined attacker will almost always succeed. This paper proposes an approach to detect novel attacks via a comparison of system behaviour. A combination of a system-wide events collection and subsequent data analysis fingerprints processes and their file access behaviour. A comparison of these fingerprints results in seven "sameness" categories for processes, sorted from completely identical behaviour to unique and therefore highly suspicious. This categorisation provides guidance for further detailed assessment, if required. Results and insights from a prototype implementation suggest that the presented approach is a strategy for the detection of novel attacks.

References

[1]

Stefan Axelsson. 2000. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report. Department of Computer Engineering, Chalmers University.

[2]

Z. Bazrafshan, H. Hashemi, S. M. H. Fard, and A. Hamzeh. 2013. A survey on heuristic malware detection techniques. In IKT 2013 - The 5th Conference on Information and Knowledge Technology. IEEE Computer Society, 113--120.

[3]

Varun Chandola, Arindam Banerjee, and Vipin Kumar. 2009. Anomaly Detection: A Survey. ACM Comput. Surv. 41, 3, Article 15 (Jul 2009), 58 pages.

Digital Library

[4]

Cisco Systems. 2016. ClamavNet. http://www.clamav.net/.

[5]

Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati. 2004. An Open Digest-based Technique for Spam Detection. In Proceedings of the ISCA 17th International Conference on Parallel and Distributed Computing Systems, Vol. 2004. ISCA, 559--564.

[6]

Debin Gao, Michael K. Reiter, and Dawn Song. 2006. Behavioral Distance for Intrusion Detection. In Proceedings of the 8th International Conference on Recent Advances in Intrusion Detection (RAID'05). Springer-Verlag, 63--81.

Digital Library

[7]

P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez. 2009. Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges. Comput. Secur. 28, 1--2 (Feb 2009), 18--28.

Digital Library

[8]

V. Jyothsna and V. V. Rama Prasad. 2011. A Review of Anomaly based Intrusion Detection Systems. International Journal of Computer Applications 28, 7 (August 2011), 26---35.

[9]

Christopher Kruegel and Giovanni Vigna. 2003. Anomaly Detection of Web-based Attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03). ACM, 251--261.

Digital Library

[10]

Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. 2010. AccessMiner: Using System-centric Models for Malware Protection. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS '10). ACM, 399--412.

Digital Library

[11]

D. Maier, T. Müller, and M. Protsenko. 2014. Divide-and-Conquer: Why Android Malware Cannot Be Stopped. In 2014 Ninth International Conference on Availability, Reliability and Security (ARES '14). IEEE Computer Society, 30--39.

Digital Library

[12]

J. Oliver, C. Cheng, and Y. Chen. 2013. TLSH -- A Locality Sensitive Hash. In 2013 Fourth Cybercrime and Trustworthy Computing Workshop(CTC), Vol. 00. IEEE Computer Society, 7--13.

Digital Library

[13]

Animesh Patcha and Jung-Min Park. 2007. An Overview of Anomaly Detection Techniques: Existing Solutions and Latest Technological Trends. Comput. Netw. 51, 12 (Aug. 2007), 3448--3470.

Digital Library

[14]

M. Pirker and A. Nusser. 2016. Assessment of Server State via Inter-Clone Differences. In 2016 International Conference on Software Security and Assurance (ICSSA). IEEE, 54--59.

[15]

Mark Russinovich. 2016. Process Monitor. https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.

[16]

Lance Spitzner. 2003. Honeypots: Catching the Insider Threat. In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC '03). IEEE Computer Society, 170--.

Digital Library

[17]

Eric Totel, Frédéric Majorczyk, and Ludovic Mé. 2006. COTS Diversity Based Intrusion Detection and Application to Web Servers. In Proceedings of the 8th International Conference on Recent Advances in Intrusion Detection (RAID'05). Springer-Verlag, 43--62.

Digital Library

[18]

Various Authors. 2016. StraceNT - A System Call Tracer for Windows. http://intellectualheaven.com/default.asp?BH=StraceNT.

[19]

Emmanouil Vasilomanolakis, Shankar Karuppayah, Max Mühlhäuser, and Mathias Fischer. 2015. Taxonomy and Survey of Collaborative Intrusion Detection. ACM Comput. Surv. 47, 4, Article 55 (May 2015), 33 pages.

Digital Library

[20]

Yinglian Xie, Hyang-Ah Kim, David R. O'Hallaron, Michael K. Reiter, and Hui Zhang. 2004. Seurat: A Pointillist Approach to Anomaly Detection. In Recent Advances in Intrusion Detection, Erland Jonsson, Alfonso Valdes, and Magnus Almgren (Eds.). Springer Berlin Heidelberg, 238--257.

[21]

Chenfeng Vincent Zhou, Christopher Leckie, and Shanika Karunasekera. 2010. A Survey of Coordinated Attacks and Collaborative Intrusion Detection. Comput. Secur. 29, 1 (Feb 2010), 124--140.

Digital Library

Cited By

Thom JThom NSengupta SHand E(2022)Smart Recon: Network Traffic Fingerprinting for IoT Device Identification2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC)10.1109/CCWC54503.2022.9720739(0072-0079)Online publication date: 26-Jan-2022
https://doi.org/10.1109/CCWC54503.2022.9720739
Eigner OEresheim SKieseberg PKlausner LPirker MPriebe TTjoa SMarulli FMercaldo F(2021)Towards Resilient Artificial Intelligence: Survey and Research Issues2021 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR51186.2021.9527986(536-542)Online publication date: 26-Jul-2021
https://doi.org/10.1109/CSR51186.2021.9527986
Charyyev BGunes M(2020)IoT Traffic Flow Identification using Locality Sensitive HashesICC 2020 - 2020 IEEE International Conference on Communications (ICC)10.1109/ICC40277.2020.9148743(1-6)Online publication date: Jun-2020
https://doi.org/10.1109/ICC40277.2020.9148743
Show More Cited By

Recommendations

Program Anomaly Detection: Methodology and Practices
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

This tutorial will present an overview of program anomaly detection, which analyzes normal program behaviors and discovers aberrant executions caused by attacks, misconfigurations, program bugs, and unusual usage patterns. It was first introduced as an ...
Specification-based anomaly detection: a new approach for detecting network intrusions
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

Unlike signature or misuse based intrusion detection techniques, anomaly detection is capable of detecting novel attacks. However, the use of anomaly detection in practice is hampered by a high rate of false alarms. Specification-based techniques have ...
ELAMD: An ensemble learning framework for adversarial malware defense
Abstract
Machine learning-based methods have been widely used in malware detection. However, recent studies show that models based on machine learning (or deep learning) are vulnerable to adversarial attacks. For example, slight perturbation to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

August 2018

603 pages

ISBN:9781450364485

DOI:10.1145/3230833

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

Universität Hamburg: Universität Hamburg

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2018

ARES 2018: International Conference on Availability, Reliability and Security

August 27 - 30, 2018

Hamburg, Germany

Acceptance Rates

ARES '18 Paper Acceptance Rate 128 of 260 submissions, 49%;

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
129
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Thom JThom NSengupta SHand E(2022)Smart Recon: Network Traffic Fingerprinting for IoT Device Identification2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC)10.1109/CCWC54503.2022.9720739(0072-0079)Online publication date: 26-Jan-2022
https://doi.org/10.1109/CCWC54503.2022.9720739
Eigner OEresheim SKieseberg PKlausner LPirker MPriebe TTjoa SMarulli FMercaldo F(2021)Towards Resilient Artificial Intelligence: Survey and Research Issues2021 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR51186.2021.9527986(536-542)Online publication date: 26-Jul-2021
https://doi.org/10.1109/CSR51186.2021.9527986
Charyyev BGunes M(2020)IoT Traffic Flow Identification using Locality Sensitive HashesICC 2020 - 2020 IEEE International Conference on Communications (ICC)10.1109/ICC40277.2020.9148743(1-6)Online publication date: Jun-2020
https://doi.org/10.1109/ICC40277.2020.9148743
Longo LGoebel RLecue FKieseberg PHolzinger A(2020)Explainable Artificial Intelligence: Concepts, Applications, Research Challenges and VisionsMachine Learning and Knowledge Extraction10.1007/978-3-030-57321-8_1(1-16)Online publication date: 18-Aug-2020
https://doi.org/10.1007/978-3-030-57321-8_1

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents