Combining dynamic and static host intrusion detection features using variational long short-term memory recurrent autoencoder:

Вьет Хунг Нгуен; Чан Нгуен Нгок

doi:10.21638/11701/spbu10.2024.104

Авторы

Вьет Хунг Нгуен Вьетнамский государственный технический университет имени Ле Куй Дона, Вьетнам, 140000, Ханой, ул. Хоанг Куок Вьет, 236 https://orcid.org/0000-0002-9818-4455
Чан Нгуен Нгок Вьетнамский государственный технический университет имени Ле Куй Дона, Вьетнам, 140000, Ханой, ул. Хоанг Куок Вьет, 236 https://orcid.org/0000-0002-0059-350X

DOI:

https://doi.org/10.21638/11701/spbu10.2024.104

Аннотация

Несмотря на многие преимущества систем обнаружения вторжения на хосте (HIDS), они в основном не приняты в мейнстримных стратегиях кибербезопасности. В отличие от мониторящих сетевой трафик систем обнаружения вторжения HIDS являются последним рубежом обороны операционной системы от потенциальной атаки. Однa из основных причин такого состояния дел — низкая эффективность адекватной защиты от атак нулевого дня. Поскольку число атак уязвимостей нулевого дня и связанных с ними атак растет, для современной HIDS становится критически необходимым уметь им противостоять. В настоящей работе рассмотрен подход с использованием вариационного рекуррентного автокодировщика с долгой краткосрочной памятью (variational long short-term memory — recurrent autoencoder), который увеличивает эффективность обнаружения атак нулевого дня. Разработанная модель реализована с использованием TensorFlow, и проверена ее работа на известных наборах данных ADFA-LD и UNM. Также проведено сравнение с другими подходами, опубликованными в наиболее известных статьях по данной тематике.

Ключевые слова:

HIDS, обнаружение аномалий, вариационный автокодировщик, глубокое обучение

Скачивания

Данные скачивания пока недоступны.

Библиографические ссылки

References

The incident response analyst report. Moscow, Kaspersky Publ., 2022, 20 p.

Hochreiter S., Schmidhuber J. Long short-term memory. Neural Computation, 1997, vol. 9, iss. 8, pp. 1735–1780. https://www.doi.org/10.1162/neco.1997.9.8.1735

Chandra R. Competition and collaboration in cooperative coevolution of Elman recurrent neural networks for time-series prediction. IEEE Transactions on Neural Networks and Learning Systems, 2015, vol. 26, no. 12, pp. 3123–3136. https://doi.org/10.1109/TNNLS.2015.2404823

Cho K., van Merrienboer B., Gulcehre C., Bougares F., Schwenk H., Bengio Y. Learning phrase representations using RNN encoder–decoder for statistical machine translation. Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2014, pp. 1724–1734. https://doi.org/10.3115/v1/D14-1179

Graves A., Liwicki M., Fern'andez S., Bertolami R., Bunke H., Schmidhuber J. A novel connectionist system for unconstrained handwriting recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2009, vol. 31, no. 5, pp. 855–868.

Deepika S., Erinc M., Ismini P., Johannes K., Sten H., Matthieu G., Andreas H. Human activity recognition using recurrent neural networks. Proceedings of International Cross-Domain Conference for Machine Learning and Knowledge Extraction. Reggio, Italy, 2017, pp. 267–274.

Fabius O., van Amersfoort J. R. Variational recurrent auto-encoders. ArXiv preprint, 2015, no. 1412.6581. https://arxiv.org/abs/1412.6581

Kingma D. P., Welling M. Auto-encoding variational Bayes. Proceedings of 2^nd International Conference on Learning Representations (ICLR), 2014, pp. 1–6.

Warrender C., Forrest S., Pearlmutter B. Detecting intrusions using system calls: alternative data models. Proceedings of the 1999 IEEE Symposium on Security and Privacy. Oakland, USA, 1999, pp. 133–145. https://doi.org/10.1109/SECPRI.1999.766910

Maggi F., Matteucci M., Zanero S. Detecting intrusions through system call sequence and argument analysis. IEEE Transactions on Dependable and Secure Computing, 2010, vol. 7, iss. 4, pp. 381–395. https://doi.org/10.1109/TDSC.2008.69

Xie M., Hu J., Yu X., Chang E. Evaluating host-based anomaly detection systems: application of the frequency-based algorithms to ADFA-LD. Proceedings of 8^th International Conference on Network and System Security. Xian, China, 2014, pp. 542–549. https://doi.org/10.1007/978-3-319-11698-344

Xie M., Hu J., Slay J. Evaluating host-based anomaly detection systems: Application of the one-class SVM algorithm to ADFA-LD. International Conference on Fuzzy Systems and Knowledge Discovery (FSKD). Xiamen, China, 2014, pp. 978–982.

Creech G., Hu J. A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns. IEEE Transactions on Computers, 2014, vol. 63, iss. 4, pp. 807–819. https://doi.org/10.1109/TC.2013.13

Ikram Y. S., Madkour M. A. I. Enhanced host-based intrusion detection using system call traces. Journal of King Abdulaziz University (Computing and Information Technology Sciences), 2019, vol. 8, pp. 93–109.

Zhang Y., Luo S., Pan L., Zhang H. Syscall-BSEM: Behavioral semantics enhancement method of system call sequence for high accurate and robust host intrusion detection. Future Generation Computer Systems, 2021, vol. 125, pp. 112–126.

Osamor F., Wellman B. Deep learning-based hybrid model for efficient anomaly detection. International Journal of Advanced Computer Science and Applications, 2022, vol. 13, no. 4, pp. 975–979. https://doi.org/10.14569/IJACSA.2022.01304111

Anandapriya M., Lakshmanan B. Anomaly based host intrusion detection system using semantic based system call patterns. IEEE 9^th International Conference on Intelligent Systems and Control (ISCO). Coimbatore, India, 2015, pp. 1–4. https://doi.org/10.1109/ISCO.2015.7282244

Lu Y., Teng S. Application of sequence embedding in host-based intrusion detection system. IEEE 24^th International Conference on Computer Supported Cooperative Work in Design (CSCWD). Dalian, China, 2021, pp. 434–439.

Ouarda L., Bourenane M., Bouderah B. Towards a better similarity algorithm for host-based intrusion detection system. Journal of Intelligent Systems, 2023, vol. 32, no. 1, art. no. 20220259. https://doi.org/10.1515/jisys-2022-0259

Le T.-T.-H., Kim J., Kim H. An effective intrusion detection classifier using long short-term memory with gradient descent optimization. Proceedings of the 2017 International Conference on Platform Technology and Service (PlatCon). Busan, Korea, 2017, pp. 1–6. https://doi.org/10.1109/PlatCon.2017.7883684

Staudemeyer R. C., Omlin C. W. Evaluating performance of long short-term memory recurrent neural networks on intrusion detection data. Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference (SAICSIT 13). New York, ACM, 2013, pp. 218–224. https://doi.org/10.1145/2513456.2513490

Staudemeyer R. C. Applying long short-term memory recurrent neural networks to intrusion detection. South African Computer Journal, 2015, vol. 56. https://doi.org/10.18489/sacj.v56i1.248

Bontemps L., Cao V. L., McDermott J., Le-Khac N. A. Collective anomaly detection based on long short-term memory recurrent neural networks. Proceedings of 3^rd International Conference on Future Data and Security Engineering, Springer International Publishing, 2016, pp. 141–152. https://doi.org/10.1007/978-3-319-48057-29

Kim J., Kim J., Thu H. L. T., Kim H. Long short term memory recurrent neural network classifier for intrusion detection. International Conference on Platform Technology and Service (PlatCon), 2016, pp. 1–5. https://doi.org/10.1109/PlatCon.2016.7456805

Blei D. M., Kucukelbir A., McAuliffe J. D. Variational inference: A review for statisticians. Journal of the American Statistical Association, 2017, vol. 112, iss. 518, pp. 859–877. https://doi.org/10.1080/01621459.2017.1285773

Liu T. F., Ting K. M., Zhou Z.-H. Isolation forest. Proceedings of the 2008 Eighth IEEE International Conference on Data Mining. Pisa, Italy, 2008, pp. 413–422.

University of New Mexico (UNM) dataset for intrusion detection. Available at: https://www.cs.unm.edu/ immsec/data-sets.htm (accessed: August 15, 2022).

The ADFA Intrusion Detection Datasets. Available at: https://research.unsw.edu.au/projects/adfa-ids-datasets (accessed: September 10, 2023).

Yeung D. Y., Ding Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition, 2003, vol. 36, no. 1, pp. 229–243.

Wang W., Guan X. H., Zhang X. L. Modeling program behaviors by hidden Markov models for intrusion detection. Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. no. 04EX826). Shanghai, China, 2004, vol. 5, pp. 2830–2835.

Murtaza S. S., Khreich W., Hamou-Lhadj A., Gagnon S. A trace abstraction approach for host-based anomaly detection. 2015 IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA). Verona, 2015, pp. 1–8.

Borisaniya B., Patel D. Evaluation of modified vector space representation using ADFA-LD and ADFA-WD datasets. Journal of Information Security, 2015, vol. 6, no. 3, pp. 250–264.