Learning Program Behavior for Run-Time Software Assurance
- 663 Downloads
In this paper we present techniques for machine learning of program behavior by observing application level events to support runtime anomaly detection. We exploit two key relationships among event sequences: their edit distance proximity and state information embedded in event data. We integrate two techniques that employ these relationships to reduce both false positives and false negatives. Our techniques consider event sequences in their entirety, and thus better leverage correlations among events over longer time periods than most other techniques that use small, fixed length sliding windows over such sequences. We employ cluster signatures that minimize adverse effects of noise in anomaly detection, thereby further reducing false positives. We leverage state information in event data to summarize loop structures in sequences which, in turn, leads to better classification of program behavior. We have performed initial validations of these techniques using Asterisk®, a widely deployed, open source digital PBX.
Keywordsprogram behavior learning unsupervised learning anomaly detection intrusion detection automata generation
Unable to display preview. Download preview PDF.
- 1.Asterisk open source digital PBX, http://www.asterisk.org
- 2.Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow Anomaly Detection. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 48–62 (2006)Google Scholar
- 6.Hofmeyr, S.A., Somayaji, A., Forrest, S.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)Google Scholar
- 7.Ko, C.: Logic induction of valid behavior specifications for intrusion detection. In: Proc. IEEE Symposium on Security and Privacy (2000)Google Scholar
- 8.Lazarevic, A., Ertoz, L., Ozgur, A., Srivastava, J., Kumar, V.: A comparative study of anomaly detection schemes in network intrusion detection. In: SDM (2003)Google Scholar
- 9.Lindqvist, U., Porras, P.A.: eXpert-BSM: A Host-based Intrusion Detection Solution for Sun Solaris. In: Proc.17th Annual Computer Security Applications Conference, pp. 240–251 (2001)Google Scholar
- 11.Tandon, G., Chan, P.: Learning Rules from System Call Arguments and Sequences for Anomaly Detection. In: Workshop on Data Mining for Computer Security, pp. 20–29 (2003)Google Scholar