AIDIS: Detecting and Classifying Anomalous Behavior in UbiquitousKernel Processes

dc.cclicenceCC-BY-NCen
dc.contributor.authorLuh, Robert
dc.contributor.authorJanicke, Helge
dc.contributor.authorSchrittweiser, Sebastian
dc.date.acceptance2019-03-17
dc.date.accessioned2019-03-26T14:12:46Z
dc.date.available2019-03-26T14:12:46Z
dc.date.issued2019-03-20
dc.descriptionThe file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.en
dc.description.abstractTargeted attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. With the rising prominence of advanced persistent threats (APTs), identifying and under-standing such attacks has become increasingly important. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst.In this article we propose AIDIS, an Advanced Intrusion Detection and Interpretation System capable to explain anomalous behavior within a network-enabled user session by considering kernel event anomalies identified through their deviation from a set of baseline process graphs. For this purpose we adapt star-structures, a bipartite representation used to approximate the edit distance be-tween two graphs. Baseline templates are generated automatically and adapt to the nature of the respective operating system process.We prototypically implemented smart anomaly classification through a set of competency questions applied to graph template deviations and evaluated the approach using both Random Forest and linear kernel support vector machines.The determined attack classes are ultimately mapped to a dedicated APT at-tacker/defender meta model that considers actions, actors, as well as assets and mitigating controls, thereby enabling decision support and contextual interpretation of ongoing attacksen
dc.funderNo external funderen
dc.identifier.citationLuh, R., Janicke, H. and Schrittwieser, S. (2019) AIDIS: Detecting andClassifying Anomalous Behavior in Ubiquitous Kernel Processes,Computers & Security, 84, pp. 120-147en
dc.identifier.doihttps://doi.org/10.1016/j.cose.2019.03.015
dc.identifier.urihttps://www.dora.dmu.ac.uk/handle/2086/17641
dc.language.isoen_USen
dc.peerreviewedYesen
dc.publisherElsevieren
dc.researchinstituteCyber Technology Institute (CTI)en
dc.subjectintrusion detection, malware, anomaly detection, graph matching, star structure, security model, semantic gap, machine learning, classificationen
dc.titleAIDIS: Detecting and Classifying Anomalous Behavior in UbiquitousKernel Processesen
dc.typeArticleen

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
1-s2.0-S0167404818314457-main.pdf
Size:
3.36 MB
Format:
Adobe Portable Document Format
Description:
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
4.2 KB
Format:
Item-specific license agreed upon to submission
Description: