AIDIS: Detecting and Classifying Anomalous Behavior in UbiquitousKernel Processes
dc.cclicence | CC-BY-NC | en |
dc.contributor.author | Luh, Robert | |
dc.contributor.author | Janicke, Helge | |
dc.contributor.author | Schrittweiser, Sebastian | |
dc.date.acceptance | 2019-03-17 | |
dc.date.accessioned | 2019-03-26T14:12:46Z | |
dc.date.available | 2019-03-26T14:12:46Z | |
dc.date.issued | 2019-03-20 | |
dc.description | The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link. | en |
dc.description.abstract | Targeted attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. With the rising prominence of advanced persistent threats (APTs), identifying and under-standing such attacks has become increasingly important. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst.In this article we propose AIDIS, an Advanced Intrusion Detection and Interpretation System capable to explain anomalous behavior within a network-enabled user session by considering kernel event anomalies identified through their deviation from a set of baseline process graphs. For this purpose we adapt star-structures, a bipartite representation used to approximate the edit distance be-tween two graphs. Baseline templates are generated automatically and adapt to the nature of the respective operating system process.We prototypically implemented smart anomaly classification through a set of competency questions applied to graph template deviations and evaluated the approach using both Random Forest and linear kernel support vector machines.The determined attack classes are ultimately mapped to a dedicated APT at-tacker/defender meta model that considers actions, actors, as well as assets and mitigating controls, thereby enabling decision support and contextual interpretation of ongoing attacks | en |
dc.funder | No external funder | en |
dc.identifier.citation | Luh, R., Janicke, H. and Schrittwieser, S. (2019) AIDIS: Detecting andClassifying Anomalous Behavior in Ubiquitous Kernel Processes,Computers & Security, 84, pp. 120-147 | en |
dc.identifier.doi | https://doi.org/10.1016/j.cose.2019.03.015 | |
dc.identifier.uri | https://www.dora.dmu.ac.uk/handle/2086/17641 | |
dc.language.iso | en_US | en |
dc.peerreviewed | Yes | en |
dc.publisher | Elsevier | en |
dc.researchinstitute | Cyber Technology Institute (CTI) | en |
dc.subject | intrusion detection, malware, anomaly detection, graph matching, star structure, security model, semantic gap, machine learning, classification | en |
dc.title | AIDIS: Detecting and Classifying Anomalous Behavior in UbiquitousKernel Processes | en |
dc.type | Article | en |