• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文会议>IEEE Pacific Rim International Symposium on Dependable Computing >Learning Process Behavioral Baselines for Anomaly Detection
【24h】

Learning Process Behavioral Baselines for Anomaly Detection

机译:学习过程行为基线以进行异常检测

获取原文
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Intrusion resilience is a protection strategy aimed at building systems that can continue to provide service during attacks. One approach to intrusion resilience is to continuously monitor a system's state and change its configuration to maintain service even while attacks are occurring. Intrusion detection, through both anomaly detection (for unknown attacks) and signature detection (for known attacks) is thus a crucial part of that resilience strategy. In this paper, we introduce KOBRA, an online anomaly detection engine that learns behavioral baselines for applications. KOBRA is implemented as a set of cooperative kernel modules that collects time-stamped process events. The process events are converted to a discrete-time signal in the polar space. We learn local patterns that occur in the data and then learn the normal co-occurrence relationships between the patterns. The patterns and the co-occurrence relations model the normal behavioral baseline of an application. We compute an anomaly score for tested traces and compare it against a threshold for anomaly detection. We evaluate the baseline by experimenting with its ability to discriminate between different processes and detect malicious behavior.
机译:入侵弹性是一种旨在构建可在攻击过程中继续提供服务的系统的保护策略。入侵防御的一种方法是连续监视系统状态并更改其配置以即使在发生攻击时也能维持服务。因此,通过异常检测(针对未知攻击)和特征码检测(针对已知攻击)的入侵检测是该弹性策略的关键部分。在本文中,我们介绍了KOBRA,这是一种在线异常检测引擎,可以学习应用程序的行为基准。 KOBRA被实现为一组协作内核模块,这些模块收集带有时间戳的过程事件。过程事件在极空间中转换为离散时间信号。我们学习数据中出现的局部模式,然后学习模式之间的正常共现关系。模式和共现关系为应用程序的正常行为基线建模。我们计算测试迹线的异常分数,并将其与异常检测的阈值进行比较。我们通过试验其区分不同进程和检测恶意行为的能力来评估基准。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号