factorwarez
warez 时间:2021-01-03 阅读:(
)
LearningUsefulSystemCallAttributesforAnomalyDetectionGauravTandonandPhilipK.
ChanDepartmentofComputerSciencesFloridaInstituteofTechnologyMelbourne,FL32901{gtandon,pkc}@cs.
fit.
eduAbstractTraditionalhost-basedanomalydetectionsystemsmodelnormalbehaviorofapplicationsbyanalyzingsystemcallsequences.
Currentsequenceisthenexamined(usingthemodel)foranomalousbehavior,whichcouldcorrespondtoattacks.
Thoughthesetechniqueshavebeenshowntobequiteeffective,akeyelementseemstobemissing–theinclusionandutilizationofthesystemcallarguments.
Recentresearchshowsthatsequence-basedsystemsarepronetoevasion.
Weproposeanideaoflearningdifferentrepresentationsforsystemcallarguments.
Resultsindicatethatthisinformationcanbeeffectivelyusedfordetectingmoreattackswithreasonablespaceandtimeoverhead.
IntroductionIntrusiondetectionsystems(IDSs)aregenerallycategorizedassignature-basedandanomaly-based.
Insignaturedetection,systemsaremodeleduponknownattackpatternsandthetestdataischeckedfortheoccurrenceofthesepatterns.
Suchsystemshaveahighdegreeofaccuracybutsufferfromtheinabilitytodetectnovelattacks.
Anomalydetectioncomplementssignaturedetectionbymodelingnormalbehaviorofapplications.
Significantdeviationsfromthisbehaviorareconsideredanomalous.
Suchsystemscandetectnovelattacks,butgeneratefalsealarmssincenotallanomaliesarenecessarilyhostile.
Intrusiondetectionsystemscanalsobecategorizedasnetwork-based,whichdealswithnetworktraffic;andhost-based,whereoperatingsystemeventsaremonitored.
Mostofthetraditionalhost-basedanomalydetectionsystemsfocusonsystemcallsequences,theassumptionbeingthatamaliciousactivityresultsinanabnormal(novel)sequenceofsystemcalls.
Recentresearchhasshownthatsequence-basedsystemscanbecompromisedbyconductingmimicryattacks.
Suchattacksarepossiblebyinsertingdummysystemcallswithinvalidargumentssuchthattheyformalegitimatesequenceofevents.
Adrawbackofsequence-basedapproachesliesintheirnon-utilizationofotherkeyattributes,namelythesystemcallarguments.
Theefficacyofsuchsystemsmightbeimproveduponifarichersetofattributes(returnvalue,errorstatusandotherarguments)associatedwithasystemCopyright2005,AmericanAssociationforArtificialIntelligence(www.
aaai.
org).
Allrightsreserved.
callisusedtocreatethemodel.
Inthispaperwepresentahost-basedanomalydetectionsystemthatisbaseduponsystemcallarguments.
WelearntheimportantattributesusingavariantofarulelearningalgorithmcalledLERAD.
Wealsopresentvariousargument-basedrepresentationsandcomparetheirperformancewithsomeofthewell-knownsequence-basedtechniques.
Ourmaincontributionsare:(1)weincorporatevarioussystemcallattributes(returnvalue,errorstatusandotherarguments)forbetterapplicationmodeling;(2)weproposeenrichedrepresentationsusingsystemcallsequencesandarguments;(3)weuseavariantofarulelearningalgorithmtolearntheimportantattributesfromthefeaturespace;(4)wedemonstratetheeffectivenessofourmodels(intermsofnumberofattackdetections,timeandspaceoverhead)byperformingexperimentsonthreedifferentdatasets;and(5)wepresentananalysisoftheanomaliesdetected.
Oursequence-basedmodeldetectsmoreattacksthantraditionaltechniques,indicatingthattherulelearningtechniqueisabletogeneralizewell.
Ourargument-basedsystemsareabletodetectmoreattacksthantheirsequence-basedcounterparts.
Thetimeandspacerequirementsforourmodelsarereasonableforonlinedetection.
RelatedWorkTime-delayembedding(tide)recordsexecutionsofnormalapplicationexecutionsusinglook-aheadpairs(Forrestetal.
1996).
UNIXcommandsequenceswerealsoexaminedtocaptureuserprofilesandcomputesequencesimilarityusingadjacenteventsinaslidingwindow(LaneandBrodley1997).
Sequencetime-delayembedding(stide)memorizesallcontiguoussequencesofpredetermined,fixedlengthsduringtraining(Warrender,Forrest,andPearlmutter1999).
Afurtherextension,calledsequencetime-delayembeddingwith(frequency)threshold(t-stide),wassimilartostidewiththeexceptionthatthefrequenciesofthesefixedlengthsequenceswerealsotakenintoaccount.
Raresequenceswereignoredfromthenormalsequencedatabaseinthisapproach.
Allthesetechniquesmodelednormalbehaviorbyusingfixedlengthpatternsoftrainingsequences.
AschemetogeneratevariablelengthpatternsbyusingTeiresias(RigoutsosandFloratos1998),apattern-discoveryalgorithminbiologicalsequences,wasproposedin(Wespi,Dacier,andDebar1999,2000).
Thesetechniquesimproveduponthefixedlengthmethods.
Thoughalltheaboveapproachesusesystemcallsequences,noneofthemmakeuseofthesystemcallarguments.
GivensomeknowledgeabouttheIDS,attackerscandevisesomemethodologiestoevadesuchintrusiondetectionsystems(Tan,Killourhy,andMaxion2002;WagnerandSoto2002).
Suchattacksmightbedetectedifthesystemcallargumentsarealsoevaluated(Kruegeletal.
2003),andthismotivatesourcurrentwork.
Ourtechniquemodelsonlytheimportantcharacteristicsandgeneralizesfromit;previousworkemphasizesonthestructureofallthearguments.
ApproachSinceourgoalistodetecthost-basedintrusions,systemcallsareinstrumentalinoursystem.
Weincorporatethesystemcallswithitsargumentstogeneratearichermodel.
ThenwepresentdifferentrepresentationsformodelingasystemusingLERAD,whichisdiscussednext.
LearningRulesforAnomalyDetection(LERAD)Algorithmsforfindingassociationrules,suchasApriori(Agrawal,Imielinski,andSwami1993),generatealargenumberofrules.
Thisincursalargeoverheadandmaynotbeappropriateforonlinedetection.
Wewouldliketohaveaminimalsetofrulesdescribingthenormaltrainingdata.
LERADisaconditionalrule-learningalgorithmthatformsasmallsetofrules.
Itisbrieflydescribedhere;moredetailscanbeobtainedfrom(MahoneyandChan2003).
LERADlearnsrulesoftheform:},,{,,21KKxxXbBaA∈==(1)whereA,B,andXareattributesanda,b,x1,x2arevaluesforthecorrespondingattributes.
Thelearnedrulesrepresentthepatternspresentinthenormaltrainingdata.
Theset{x1,x2,…}intheconsequentconstitutesalluniquevaluesofXwhentheantecedentoccursinthetrainingdata.
Duringthedetectionphase,records(ortuples)thatmatchtheantecedentbutnottheconsequentofaruleareconsideredanomalousandananomalyscoreisassociatedwitheveryruleviolation.
Thedegreeofanomalyisbasedonaprobabilisticmodel.
Foreachrule,fromthetrainingdata,theprobability,p,ofobservingavaluenotintheconsequentisestimatedby:nrp/=(2)whereristhecardinalityoftheset,{x1,x2,…},intheconsequentandnisthenumberofrecords(tuples)thatsatisfytheruleduringtraining.
Thisprobabilityestimationofnovel(zerofrequency)eventsisfrom(WittenandBell1991).
Sincepestimatestheprobabilityofanovelevent,thelargerpis,thelessanomalousanoveleventis.
Hence,duringdetection,whenanoveleventisobserved,thedegreeofanomaly(anomalyscore)isestimatedby:rnpScoreAnomaly//1==(3)Anon-stationarymodelisassumedforLERAD–onlythelastoccurrenceofaneventisassumedimportant.
Sincenoveleventsareburstyinconjunctionwithattacks,afactortisintroduced–itisthetimeintervalsincethelastnovel(anomalous)attributevalue.
Whenanoveleventoccurredrecently(smallvalueoft),anoveleventismorelikelytooccuratthepresentmoment.
Hence,theanomalyscoreismeasuredbyt/p.
Sincearecordcandeviatefromtheconsequentofmorethanonerule,thetotalanomalyscoreofarecordisaggregatedoveralltherulesviolatedbythetupletocombinetheeffectfromviolationofmultiplerules:∑∑==rntptScoreAnomalyTotal//(4)Themoretheviolations,moresignificanttheanomalyis,andthehighertheanomalyscoreshouldbe.
Analarmisraisedifthetotalanomalyscoreisaboveathreshold.
TherulegenerationphaseofLERADcomprisesof4mainsteps:(i)Generateinitialruleset:TrainingsamplesarepickedupatrandomfromarandomsubsetSoftrainingexamples.
Candidaterules(asdepictedinEquation1)aregeneratedfromthesesamples.
(ii)Coveragetest:Therulesetisfilteredbyremovingrulesthatdonotcover/describeallthetrainingexamplesinS.
Ruleswithlowerrateofanomalies(lowerr/n)arekept.
(iii)UpdaterulesetbeyondS:Extendtherulesovertheremainingtrainingdatabyaddingvaluesfortheattributeintheconsequentwhentheantecedentistrue.
(iv)Validatetheruleset:Rulesareremovediftheyareviolatedbyanytupleinthevalidationset.
Sincesystemcallisthekey(pivotal)attributeinahostbasedsystem,wemodifiedLERADsuchthattheruleswereforcedtohaveasystemcallasaconditionintheantecedent.
Theonlyexceptionwemadewasthegenerationofruleswithnoantecedent.
SystemcallandargumentbasedrepresentationsWenowpresentthedifferentrepresentationsforLERAD.
Sequenceofsystemcalls:S-LERAD.
Usingsequenceofsystemcallsisaverypopularapproachforanomalydetection.
Weusedawindowoffixedlength6(asthisisclaimedtogivebestresultsinstideandt-stide)andfedthesesequencesofsixsystemcalltokensasinputtuplestoLERAD.
ThisrepresentationisselectedtoexplorewhetherLERADwouldbeabletocapturethecorrelationsamongsystemcallsinasequence.
Also,thisexperimentwouldassistusincomparingresultsbyusingthesamealgorithmforsystemcallsequencesaswellastheirarguments.
AsamplerulelearnedinaparticularrunofS-LERADis:}{,,3621munmapSCopenSCmmapSCcloseSC∈===(1/pvalue=455/1)Thisruleisanalogoustoencounteringcloseasthefirstsystemcall(representedasSC1),followedbymmapandmunmap,andopenasthesixthsystemcall(SC6)inawindowofsize6slidingacrosstheaudittrail.
Eachruleisassociatedwithann/rvalue.
Thenumber455inthenumeratorreferstothenumberoftraininginstancesthatcomplywiththerule(ninEquation3).
Thenumber1inthedenominatorimpliesthatthereexistsjustonedistinctvalueoftheconsequent(munmapinthiscase)whenalltheconditionsinthepremiseholdtrue(rinEquation3).
Argument-basedmodel:A-LERAD.
Weproposethatargumentandotherkeyattributeinformationisintegraltomodelingagoodhost-basedanomalydetectionsystem.
Weextractedarguments,returnvalueanderrorstatusofsystemcallsfromtheauditlogsandexaminedtheeffectsoflearningrulesbaseduponsystemcallsalongwiththeseattributes.
Anyvaluefortheotherarguments(giventhesystemcall)thatwasneverencounteredinthetrainingperiodforalongtimewouldraiseanalarm.
Weperformedexperimentsonthetrainingdatatomeasurethemaximumnumberofattributes(MAX)foreveryuniquesystemcall.
Wedidnotusethetestdatafortheseexperimentssothatwedonotgetanyinformationaboutitbeforeourmodelisbuilt.
SinceLERADacceptsthesame(fixed)numberofattributesforeverytuple,wehadtoinsertaNULLvalueforanattributethatwasabsentinaparticularsystemcall.
Theorderoftheattributeswithinthetuplewasmadesystemcalldependent.
SincewemodifiedLERADtoformrulesbaseduponthesystemcalls,thereisconsistencyamongsttheattributesforanyspecificsystemacrossallmodels.
Byincludingallattributesweutilizedthemaximumamountofinformationpossible.
Mergingsystemcallsequenceandargumentinformationofthecurrentsystemcall:M-LERAD.
Thefirstrepresentationwediscussedisbaseduponsequenceofsystemcalls;thesecondonetakesintoconsiderationotherrelevantattributes,whoseefficacyweclaiminthispaper;sofusingthetwotostudytheeffectswasanobviouschoice.
MergingisaccomplishedbyaddingmoreattributesineachtuplebeforeinputtoLERAD.
Eachtuplenowcomprisesofthesystemcall,MAXnumberofattributesforthecurrentsystemcall,andthepreviousfivesystemcalls.
Then/rvaluesobtainedfromtheallrulesviolatedareaggregatedintoananomalyscore,whichisthenusedtogenerateanalarmbaseduponthethreshold.
Mergingsystemcallsequenceandargumentinformationforallsystemcallsinthesequence:M*-LERAD.
Alltheproposedvariants,namelyS-LERAD,A-LERADandM-LERAD,considerasequenceof6systemcallsand/ortakeintotheargumentsforthecurrentsystemcall.
WeproposeanothervariantcalledmultipleargumentLERAD(M*-LERAD)–inadditiontousingthesystemcallsequenceandtheargumentsforthecurrentsystemcall,thetuplesnowalsocomprisetheargumentsforallsystemcallswithinthefixedlengthsequenceofsize6.
Eachtuplenowcomprisesofthecurrentsystemcall,MAXattributesforthecurrentsystemcall,5previoussystemcallsandMAXattributesforeachofthosesystemcalls.
ExperimentalEvaluationOurgoalistostudyifLERADcanbemodifiedtodetectattack-basedanomalieswithfeaturespacescomprisingsystemcallsandtheirarguments.
DatasetsandexperimentalprocedureWeusedthefollowingdatasetsforourexperiments:(i)The1999DARPAintrusiondetectionevaluationdataset:DevelopedattheMITLincolnLab,weselectedtheBSMlogsfromSolarishosttracingsystemcallsthatcontains33attacks.
Attackclassificationisprovidedin(Kendell1999).
Thefollowingapplicationswerechosen:ftpd,telnetd,sendmail,tcsh,login,ps,eject,fdformat,sh,quotaandufsdump,duetotheirvariedsizes(1500–over1millionsystemcalls).
Weexpectedtofindagoodmixofbenignandmaliciousbehaviorintheseapplications.
Trainingwasperformedonweek3dataandtestingonweeks4and5.
Anattackisconsideredtobedetectedifanalarmisraisedwithin60secondsofitsoccurrence(sameastheDARPAevaluation).
(ii)lpr,loginandpsapplicationsfromtheUniversityofNewMexico(UNM):Thelprapplicationcomprisedof2703normaltracescollectedfrom77hostsrunningSUNOS4.
1.
4attheMITAILab.
Another1001tracesresultfromtheexecutionofthelprcpattackscript.
TracesfromtheloginandpsapplicationswereobtainedfromLinuxmachinesrunningkernel2.
0.
35.
HomegrownTrojanprogramswereusedfortheattacktraces.
(iii)Microsoftexcelmacrosexecutions(FIT-UTKdata):Normalexcelmacroexecutionsareloggedin36distincttraces.
2malicioustracesmodifyregistrysettingsandexecutesomeotherapplication.
SuchabehaviorisexhibitedbytheILOVEYOUwormwhichopensthewebbrowsertoaspecifiedwebsiteandexecutesaprogram,modifyingregistrykeysandcorruptinguserfiles,resultinginadistributeddenialofservice(DDoS)attack.
TheinputtuplesforS-LERADwere6contiguoussystemcalls;forA-LERADtheyweresystemcallswiththeirreturnvalue,errorstatusandarguments;TheinputsforM-LERADweresequencesofsystemcallswithargumentsofthecurrentsystemcall;whereasinM*-LERAD,theyweresystemcallsequenceswithargumentsforallthe6systemcalls.
Fortide,theinputswereallthepairsofsystemcallswithinawindowoffixedsize6;stideandt-stidecomprisedallcontiguoussequencesoflength6.
Forallthetechniques,alarmsweremergedindecreasingorderoftheanomalyscoresandevaluatedatvariedfalsealarmrates.
ResultsSincet-stideissupposedtogivebestresultsamongthesequence-basedtechniques,wecompareditsperformancewithS-LERADontheUNMandFIT-UTKdatasets.
Table1:t-stidevs.
S-LERAD(UNM,FIT-UTKdata).
Numberofattacksdetected(Numberoffalsealarms)ProgramnameNumberoftrainingsequencesNumberoftestsequencest-stideS-LERADlpr100027041(0)1(1)ps12272(58)2(2)login881(0)1(1)excel3262(92)2(0)04812162000.
250.
512.
5Falsealarms(x10-3%perday)Numberofdetectionstidestidet-stideS-LERADA-LERADM-LERADM*-LERAD01234567DoSU2RR2LAttacktypesNumberofdetectionstidestidet-stideS-LERADA-LERADM-LERADM*-LERADFigure1.
Numberofdetections(DARPA/LLdata).
Figure2.
Numberofdetectionsat10falsealarmsperdayfordifferentattackcategories(DARPA/LLdata).
ResultsfromTable1showthatboththetechniqueswereabletodetectalltheattacks.
However,t-stidegeneratedmorefalsealarmsforpsandexcel.
WealsoperformedexperimentsontheDARPA/LLdatasetstoevaluateallthetechniques.
Figure1illustratesthetotalattacksdetected(Y-axis)atvariedfalsealarmsrates(X-axis).
Atzerofalsealarms,tide,stideandt-stidedetectedthemostattacks,suggestingthatmaximumdeviationsintemporalsequencesaretruerepresentationsofactualattacks.
Butasthethresholdisrelaxed,S-LERADoutperformedallthe3sequence-basedtechniques.
ThiscanbeattributedtothefactthatS-LERADisabletogeneralizewellandlearnstheimportantcorrelations.
TheUNMandFIT-UTKdatasetsdonothavecompleteargumentinformationtoevaluateLERADvariantsthatinvolvearguments.
FortheDARPA/LLdataset,A-LERADfaredbetterthanS-LERADandtheothersequence-basedtechniques(Figure1),suggestingthatargumentinformationismoreusefulthansequenceinformation.
Usingargumentscouldalsomakeasystemrobustagainstmimicryattackswhichevadesequence-basedsystems.
ItcanalsobeseenthattheA-LERADcurvecloselyfollowsthecurveforM-LERAD.
Thisimpliesthatthesequenceinformationisredundant;itdoesnotaddsubstantialinformationtowhatisalreadygatheredfromarguments.
M*-LERADperformedtheworstamongallthetechniquesatfalsealarmsratelowerthan0.
5x10-3%perday.
ThereasonforsuchaperformanceisthatM*-LERADgeneratedalarmsforbothsequenceandargumentbasedanomalies.
Ananomalousargumentinonesystemcallraisedanalarminsixdifferenttuples,leadingtoahigherfalsealarmrate.
Asthealarmthresholdwasrelaxed,thedetectionrateimproved.
ThebetterperformanceofLERADvariantscanbeattributedtoitsanomalyscoringfunction.
Itassociatesaprobabilisticscorewitheveryrule.
Insteadofabinary(present/absent)value(asinthecaseofstideandt-stide),thisprobabilityvalueisusedtocomputethedegreeofanomalousness.
Italsoincorporatesaparameterforthetimeelapsedsinceanovelvaluewasseenforanattribute.
Theadvantageistwofold:(i)itassistsindetectinglongtermanomalies;(ii)suppressesthegenerationofmultiplealarmsfornovelattributevaluesinasuddenburstofdata.
Figure2plotstheresultat10falsealarmsperday,makingatotalof100falsealarmsforthe10daysoftesting(criterionusedinthe1999DARPAevaluation).
DifferentattacktypesarerepresentedalongtheX-axisandtheY-axisdenotedthetotalattacksdetectedineachattackcategory.
M-LERADwasabletodetectthelargestnumberofattacks–5DoS,3U2Rand6R2Lattacks.
Aninterestingobservationisthatthesequence-basedtechniquesgenerallydetectedtheU2RattackswhereastheR2LandDoSattackswerebetterdetectedbytheargument-basedtechniques.
Ourtechniqueswereabletodetectsomepoorlydetectedattacksquotedin(Lippmannetal.
1999),warezclientbeingoneofthem.
Ourmodelsalsodetected3stealthypsattacks.
Table2.
A-LERADvs.
AC-LERAD(DARPA/LL).
NumberofdetectionsFalsealarmsperdayA-LERADAC-LERAD5109101311201716ExperimentswereperformedtoseeifNULLattributeshelpindetectinganomaliesoriftheyformedmeaninglessrules.
WeaddedaconstraintthattheNULLvaluescouldnotbeaddedtotheattributevaluesintherules.
WecallthisvariantAC-LERAD(A-LERADwithconstraint).
Table2summarizestheresults.
A-LERADwasabletodetectmoreattacksthantheconstrainedcounterpart,suggestingthatruleswithNULLvaluedattributesarebeneficialtothedetectionofanomaliescorrespondingtoattacks.
AnalysisofanomaliesAnanomalyisadeviationfromnormalcyand,bydefinition,doesnotnecessarilyidentifythenatureofanattack.
Anomalydetectionservesasanearlywarningsystem;humansneedtoinvestigateifananomalyactuallycorrespondstoamaliciousactivity.
Theanomaliesthatledtotheattacksdetectedbyargument-basedvariantsofLERAD,inmanycases,donotrepresentthetruenatureoftheattacks.
Instead,itmayberepresentativeofbehavioralpatternsresultingfromtheexecutionofsomeotherprogramaftertheintrudersuccessfullygainedaccesstothehost.
Forexample,aninstanceofguestattackisdetectedbyA-LERADnotbyobservingattemptsbythehackertryingtogainaccess,butbyencounteringnovelargumentstotheioctlsystemcallwhichwasexecutedbythehackertryingtoperformacontrolfunctiononaparticulardevice.
Astealthypsattackwasdetectedbyoursystemwhentheintrudertriedtochangeownerusinganovelgroupid.
Eveniftheanomalyisrelatedtotheattackitself,itmayreflectverylittleinformationabouttheattack.
Oursystemisabletolearnonlyapartialsignatureoftheattack.
Guessftpisdetectedbyabadpasswordforanillegitimateusertryingtogainaccess.
However,theattackercouldhavemadeinterspersedattemptstoevadethesystem.
Attackswerealsodetectedbycapturingerrorscommittedbytheintruder,possiblytoevadetheIDS.
Ftpwriteisavulnerabilitythatexploitsaconfigurationerrorwhereinaremoteftpuserisabletosuccessfullycreateandaddfiles(suchas.
rhost)andgainaccesstothesystem.
Thisattackisdetectedbymonitoringthesubsequentactionsoftheintruder,whereinheattemptstosettheauditstateusinganinvalidpreselectionmask.
Thisanomalywouldgounnoticedinasystemmonitoringonlysystemcalls.
Table3.
TopanomalousattributesforA-LERAD.
AttributecausingfalsealarmWhethersomeattackwasdetectedbythesameattributeioctlargumentYesioctlreturnvalueYessetegidmaskYesopenreturnvalueNoopenerrorstatusNofcntlerrorstatusNosetpgrpreturnvalueNoWere-emphasizethatourgoalistodetectanomalies,theunderlyingassumptionbeingthatanomaliesgenerallycorrespondtoattacks.
Sincenotallanomalouseventsaremalicious,weexpectfalsealarmstobegenerated.
Table3liststheattributesresponsibleforthegenerationofalarmsandwhethertheseresultedinactualdetectionsornot.
Itisobservedthatsomeanomalieswerepartofbenignapplicationbehavior.
Atotherinstances,theanomalousvalueforthesameattributewasresponsiblefordetectingactualmaliciousexecutionofprocesses.
Asanexample,manyattacksweredetectedbyobservingnovelargumentsfortheioctlsystemcall,butmanyfalsealarmswerealsogeneratedbythisattribute.
Eventhoughnotallnovelvaluescorrespondtoanyillegitimateactivity,argument-basedanomalieswereinstrumentalindetectingtheattacks.
TimeandspacerequirementsComparedtosequence-basedmethods,ourtechniquesextractandutilizemoreinformation(systemcallargumentsandotherattributes),makingitimperativetostudythefeasibilityofourtechniquesforonlineusage.
Fort-stide,allcontiguoussystemcallsequencesoflength6arestoredduringtraining.
ForA-LERAD,systemcallsequencesandotherattributesarestored.
Inboththecases,spacecomplexityisoftheorderofO(n),wherenisthetotalnumberofsystemcalls,thoughtheA-LERADrequirementismorebyaconstantfactorksinceitstoresadditionalargumentinformation.
Duringdetection,A-LERADusesonlyasmallsetofrules(intherange14-25fortheapplicationsusedinourexperiments).
t-stide,ontheotherhand,stillrequirestheentiredatabaseoffixedlengthsequencesduringtesting,whichincurlargerspaceoverheadduringdetection.
Weconductedexperimentsonthetcshapplication,whichcomprisesofover2millionsystemcallsintrainingandhasover7millionsystemcallsintestdata.
TherulesformedbyA-LERADrequirearound1KBspace,apartfromamappingtabletomapstringsandintegers.
Thememoryrequirementsforstoringasystemcallsequencedatabasefort-stidewereover5KBplusamappingtablebetweenstringsandintegers.
TheresultssuggestthatA-LERADhasbettermemoryrequirementsduringthedetectionphase.
Wereiteratethatthetrainingcanbedoneoffline.
Oncetherulesaregenerated,A-LERADcanbeusedtodoonlinetestingwithlowermemoryrequirements.
ThetimeoverheadincurredbyA-LERADandt-stideinourexperimentsisgiveninTable4.
TheCPUtimeshavebeenobtainedonaSunUltra5workstationwith256MBRAMand400MHzprocessorspeed.
ItcanbeinferredfromtheresultsthatA-LERADisslowerthant-stide.
Duringtraining,t-stideisamuchsimpleralgorithmandprocesseslessdatathanA-LERADforbuildingamodelandhencet-stidehasamuchshortertrainingtime.
Duringdetection,t-stidejustneedstocheckifasequenceispresentinthedatabase,whichcanbeefficientlyimplementedwithahashtable.
Ontheotherhand,A-LERADneedstocheckifarecordmatchesanyofthelearnedrules.
Also,A-LERADhastoprocessadditionalargumentinformation.
Run-timeperformanceofA-LERADcanbeimprovedwithmoreefficientrulematchingalgorithm.
Also,t-stidewillincursignificantlylargertimeoverheadwhenthestoredsequencesexceedthememorycapacityanddiskaccessesbecomeunavoidable–A-LERADdoesnotencounterthisproblemaseasilyast-stidesinceitwillstilluseasmallsetofrules.
Moreover,therun-timeoverheadofA-LERADisabouttensofsecondsfordaysofdata,whichisreasonableforpracticalpurposes.
Table4.
Executiontimecomparison.
ApplicationTrainingTime(seconds)[on1weekofdata]TestingTime(seconds)[on2weeksofdata]t-stideA-LERADt-stideA-LERADftpd0.
190.
900.
190.
89telnetd0.
967.
121.
059.
79ufsdump6.
7630.
040.
421.
66tcsh6.
3229.
565.
9129.
38login2.
4115.
122.
4515.
97sendmail2.
7314.
793.
2319.
63quota0.
203.
040.
203.
01sh0.
212.
980.
403.
93ConclusionsInthispaper,weportrayedtheefficacyofincorporatingsystemcallargumentinformationandusedarule-learningalgorithmtomodelahost-basedanomalydetectionsystem.
Baseduponexperimentsonvariousdatasets,weclaimthatourargument-basedmodel,A-LERAD,detectedmoreattacksthanallthesequence-basedtechniques.
Oursequence-basedvariant(S-LERAD)wasalsoabletogeneralizebetterthantheprevalentsequencebasedtechniques,whichrelyonpurememorization.
Mergingargumentandsequenceinformationcreatesarichermodelforanomalydetection,asillustratedbytheempiricalresultsofM-LERAD.
M*-LERADdetectedlessernumberofattacksatlowerfalsealarmratessinceeveryanomalousattributeresultsinalarmsbeingraisedin6successivetuples,leadingtoeithermultipledetectionsofthesameattack(countedasasingledetection)ormultiplefalsealarms(allseparateentities).
Resultsalsoindicatedthatsequence-basedmethodshelpdetectU2RattackswhereasR2LandDoSattackswerebetterdetectedbyargument-basedmodels.
Ourargument-basedtechniquesdetecteddifferenttypesofanomalies.
Someanomaliesdidnotrepresentthetruenatureoftheattack.
Someattacksweredetectedbysubsequentanomaloususerbehavior,liketryingtochangegroupownership.
Someotheranomaliesweredetectedbylearningonlyaportionoftheattack,whilesomeweredetectedbycapturingintrudererrors.
Thoughourtechniquesincurhighertimeoverheadduetothecomplexityofourtechniques(sincemoreinformationisprocessed)ascomparedtot-stide,theybuildmoresuccinctmodelsthatincurmuchlessspaceoverhead–ourtechniquesaimtogeneralizefromthetrainingdata,ratherthanpurememorization.
Moreover,3secondsperday(themostanapplicationtookduringtestingphase)isreasonableforonlinesystems,eventhoughitissignificantlylongerthant-stide.
Thoughourtechniquesdiddetectmoreattackswithfewerfalsealarms,therearisesaneedformoresophisticatedattributes.
Insteadofhavingafixedsequence,wecouldextendourmodelstoincorporatevariablelengthsub-sequencesofsystemcalls.
Eventheargument-basedmodelsareoffixedwindowsize,creatinganeedforamodelacceptingvariedargumentinformation.
Ourtechniquescanbeeasilyextendedtomonitoraudittrailsincontinuum.
Sincewemodeleachapplicationseparately,somedegreeofparallelismcanalsobeachievedtotestprocesssequencesastheyarebeinglogged.
ReferencesAgrawal,R.
;Imielinski,T.
;andSwamiA.
1993.
Miningassociationrulesbetweensetsofitemsinlargedatabases.
ACMSIGMOD,207-216.
Forrest,S.
;Hofmeyr,S.
;Somayaji,A.
;andLongstaff,T.
1996.
ASenseofSelfforUNIXProcesses.
IEEESymposiumonSecurityandPrivacy,120-128.
Kendell,K.
1999.
ADatabaseofComputerAttacksfortheEvaluationofIntrusionDetectionSystems.
MastersThesis,MIT.
Kruegel,C.
;Mutz,D.
;Valeur,F.
;andVigna,G.
2003.
OntheDetectionofAnomalousSystemCallArguments,EuropeanSymposiumonResearchinComputerSecurity,326-343.
Lane,T.
,andBrodleyC.
E.
1997.
SequenceMatchingandLearninginAnomalyDetectionforComputerSecurity.
AAAIWorkshoponAIApproachestoFraudDetectionandRiskManagement,43-49.
Lippmann,R.
;Haines,J.
;Fried,D.
;Korba,J.
;andDas,K.
2000.
The1999DARPAOff-LineIntrusionDetectionEvaluation.
ComputerNetworks,34:579-595.
Mahoney,M.
,andChan,P.
2003.
LearningRulesforAnomalyDetectionofHostileNetworkTraffic,IEEEInternationalConferenceonDataMining,601-604.
Rigoutsos,I.
,andFloratos,A.
1998.
Combinatorialpatterndiscoveryinbiologicalsequences.
Bioinformatics,14(1):55-67.
Tan,K.
M.
C.
;Killourhy,K.
S.
;andMaxion,R.
A.
2002.
UndermininganAnomaly-basedIntrusionDetectionSystemUsingCommonExploits.
RAID,54-74.
Wagner,D.
,andSoto,P.
2002.
MimicryAttacksonHost-BasedIntrusionDetectionSystems.
ACMCCS,255-264.
Warrender,C.
;Forrest,S.
;andPearlmutter,B.
1999.
DetectingIntrusionsUsingSystemCalls:AlternativeDataModels.
IEEESymposiumonSecurityandPrivacy,133-145.
Wespi,A.
;Dacier,M.
;andDebar,H.
1999.
AnIntrusion-DetectionSystemBasedontheTeiresiasPattern-DiscoveryAlgorithm.
EICARConference,1-15.
Wespi,A.
;Dacier,M.
;andDebar,H.
2000.
Intrusiondetectionusingvariable-lengthaudittrailpatterns.
RAID,110-129.
Witten,I.
,andBell,T.
1991.
Thezero-frequencyproblem:estimatingtheprobabilitiesofnoveleventsinadaptivetextcompression.
IEEETrans.
onInformationTheory,37(4):1085-1094.
酷番云怎么样?酷番云就不讲太多了,介绍过很多次,老牌商家完事,最近有不少小伙伴,一直问我台湾VPS,比较难找好的商家,台湾VPS本来就比较少,也介绍了不少商家,线路都不是很好,有些需求支持Windows是比较少的,这里我们就给大家测评下 酷番云的台湾VPS,支持多个版本Linux和Windows操作系统,提供了CN2线路,并且还是原生IP,更惊喜的是提供的是无限流量。有需求的可以试试。可以看到回程...
提速啦(www.tisula.com)是赣州王成璟网络科技有限公司旗下云服务器品牌,目前拥有在籍员工40人左右,社保在籍员工30人+,是正规的国内拥有IDC ICP ISP CDN 云牌照资质商家,2018-2021年连续4年获得CTG机房顶级金牌代理商荣誉 2021年赣州市于都县创业大赛三等奖,2020年于都电子商务示范企业,2021年于都县电子商务融合推广大使。资源优势介绍:Ceranetwo...
spinservers是一家主营国外服务器租用和Hybrid Dedicated等产品的商家,Majestic Hosting Solutions LLC旗下站点,商家数据中心包括美国达拉斯和圣何塞机房,机器一般10Gbps端口带宽,且硬件配置较高。目前,主机商针对达拉斯机房机器提供优惠码,最低款Dual E5-2630L v2+64G+1.6TB SSD月付89美元起,支持PayPal、支付宝等...
warez为你推荐
域名价格请问域名有什么价值吗?linux虚拟主机怎么样在自己的电脑上安装一个Linux的虚拟机操作系统?中国互联网域名注册中国互联网域名注册怎么操作免费网站域名申请怎么免费上传我的网站呀和免费申请域名美国vps租用VPS服务器租用哪里的好?独立ip虚拟主机独立ip空间的虚拟主机一般多少钱100m虚拟主机万网和新网虚拟主机有100M的吗上海虚拟主机上海哪个域名注册和虚拟主机IDC稳定可靠,价格合适?北京虚拟主机租用租用虚拟主机在哪里租用比较好西安虚拟主机西安云主机/云主机与vps有哪些区别
域名信息查询 东莞服务器租用 华为云服务 息壤备案 申请个人网站 七夕促销 南通服务器 空间技术网 电信托管 卡巴斯基免费试用版 新加坡空间 广州虚拟主机 中国联通宽带测试 rewritecond googlevoice 蓝队云 windowsserver2012r2 美国asp空间 alexa世界排名 认证机构 更多