Development of anomalous computer behavior detection method based on probabilistic automaton
DOI:
https://doi.org/10.18372/2225-5036.24.13427Keywords:
probabilistic automaton, anomalous computer system behavior, heuristic analyzer, anomaly detection systemAbstract
The paper proposes a method for identifying the anomalous behavior of a computer system based on probabilistic automaton. The main components of the method are the model of generation of the structure of the automaton and its modification procedure. The defining feature of the method is adaptation of automaton structure generation procedure for detecting scenarios of the same type, by restructuring the structure of the automaton upon a match and by recalculation of the state transition probabilities. Input data of the automaton consist of discrete events (system calls, process IDs or sections of code instructions), typical for a certain class of anomalous behavior, and grouped by type. The automaton structure is first created in accordance with one of the instances of a class, and then restructured during the analysis of other instances. Possibility of state transition depends on the input state and transition probability value. Generated automaton structure is used to detect anomalous computer system behavior. Automaton structure can be updated, if an anomaly occurs with different scenarios. Proposed method allows to speed up detecting anomalous computer behavior, as well as to detect computer system anomalies, scenario profiles of which only partially match with instances used for generation the structure of the automaton. Obtained research results allow us to conclude about the possibility of using this method in heuristic analyzers of anomaly detection systems.References
О. Шелухин, Д. Сакалема, А. Филинова, Обнаружение вторжений в компьютерные сети (сетевые аномалии): учебное пособие для вузов, М.: Горячая линия-Телеком, 2013, 220 с.
Т. Шипова, В. Босько, И. Березюк, Ю. Пархоменко, "Анализ современных методов обнаружения вторжений в компьютерные системы", Системи обробки інформації: зб. наук. пр., Харьков: ХУ ПС, Вип. 1 (139), С. 133-137, 2016.
S. Zacher, P. Ryba, "Anomaly detection in server metrics with use of one-sided median algorithm", JACSM, vol. 9, no. 1, pp. 5-22, 2017.
L. Akoglu, H. Tong, D. Koutra, "Graph based anomaly detection and description: a survey", Data Mining and Knowledge Discovery, vol. 29(3), pp. 626-688, 2015.
H. Al-Hamami, G. Al-Saadoon, "Development of a network-based: Intrusion Prevention System using a Data Mining approach", Science and Information Conference, London, pp. 641-644, 2013.
C. Kruegel, D. Mutz, F. Valeur, G. Vigna, "On the detection of anomalous system call arguments", in In Proc. of the 8th European Symposium on Research in Computer Security. Springer-Verlag. pp. 326-343, 2003.
М. Рабин, "Вероятностные автоматы", Кибернетический сборник, Вып. 9, М.: Иностранная литература, С. 123-141, 1964.
A. Maier, O. Niggemann, R. Just, M. J¨ager, Anomaly Detection in Production Plants using Timed Automata. [Electronic resource]. Online: https://www. researchgate.net /publication/257365001_Anomaly_Detection_in_Production_Plants_using_Timed_Automata.
F. Kepler, S. Mergen, C. Billa, "Simple variable length n-grams for probabilistic automata learning. Journal of Machine Learning Research", Workshop and Conference Proceedings, ICGI’12, pp. 254-258, 2012.
S. Verwer, M. Weerdt, C. Witteveen, "A likelihood-ratio test for identifying probabilistic deterministic real-time automata from positive data", In Proceedings of ICGI’10, volume 6339 of LNCS, Springer-Verlag, pp. 203216, 2010.
Kui Xu, Danfeng Yao, Barbara Ryder, Ke Tian, Probabilistic Program Modeling for High-Precision Anomaly Classification. [Electronic resource]. Online: http:// people. cs. vt. edu/danfeng/papers/HMM-CSF- 15-Yao.pdf.
