Combining dynamic and static host intrusion detection features using variational long short-term memory recurrent autoencoder:

Viet Hung Nguyen; Tran Nguyen Ngoc

doi:10.21638/11701/spbu10.2024.104

Authors

Viet Hung Nguyen Le Quy Don Technical University, 236, ul. Hoang Quoc Viet, Hanoi, 140000, The Socialist Republic of Vietnam https://orcid.org/0000-0002-9818-4455
Tran Nguyen Ngoc Le Quy Don Technical University, 236, ul. Hoang Quoc Viet, Hanoi, 140000, The Socialist Republic of Vietnam https://orcid.org/0000-0002-0059-350X

DOI:

https://doi.org/10.21638/11701/spbu10.2024.104

Abstract

Despite the many advantages offered by Host Intrusion Detection Systems (HIDS), they are rarely adopted in mainstream cybersecurity strategies. Unlike Network Intrusion Detection Systems, a HIDS is the last layer of defence between potential attacks and the underlying OSs. One of the main reasons behind this is its poor capabilities to adequately protect against zero-day attacks. With the rising number of zero-day exploits and related attacks, this is an increasingly imperative requirement for a modern HIDS. In this paper variational long short-term memory — recurrent autoencoder approach which improves zero-day attack detection is proposed. We have practically implemented our model using TensorFlow and evaluated its performance using benchmark ADFA-LD and UNM datasets. We have also compared the results against those from notable publications in the area.

Keywords:

HIDS, anomaly detection, variational autoencoder, deep learning

Downloads

Download data is not yet available.

References

References

The incident response analyst report. Moscow, Kaspersky Publ., 2022, 20 p.

Hochreiter S., Schmidhuber J. Long short-term memory. Neural Computation, 1997, vol. 9, iss. 8, pp. 1735–1780. https://www.doi.org/10.1162/neco.1997.9.8.1735

Chandra R. Competition and collaboration in cooperative coevolution of Elman recurrent neural networks for time-series prediction. IEEE Transactions on Neural Networks and Learning Systems, 2015, vol. 26, no. 12, pp. 3123–3136. https://doi.org/10.1109/TNNLS.2015.2404823

Cho K., van Merrienboer B., Gulcehre C., Bougares F., Schwenk H., Bengio Y. Learning phrase representations using RNN encoder–decoder for statistical machine translation. Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2014, pp. 1724–1734. https://doi.org/10.3115/v1/D14-1179

Graves A., Liwicki M., Fern'andez S., Bertolami R., Bunke H., Schmidhuber J. A novel connectionist system for unconstrained handwriting recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2009, vol. 31, no. 5, pp. 855–868.

Deepika S., Erinc M., Ismini P., Johannes K., Sten H., Matthieu G., Andreas H. Human activity recognition using recurrent neural networks. Proceedings of International Cross-Domain Conference for Machine Learning and Knowledge Extraction. Reggio, Italy, 2017, pp. 267–274.

Fabius O., van Amersfoort J. R. Variational recurrent auto-encoders. ArXiv preprint, 2015, no. 1412.6581. https://arxiv.org/abs/1412.6581

Kingma D. P., Welling M. Auto-encoding variational Bayes. Proceedings of 2^nd International Conference on Learning Representations (ICLR), 2014, pp. 1–6.

Warrender C., Forrest S., Pearlmutter B. Detecting intrusions using system calls: alternative data models. Proceedings of the 1999 IEEE Symposium on Security and Privacy. Oakland, USA, 1999, pp. 133–145. https://doi.org/10.1109/SECPRI.1999.766910

Maggi F., Matteucci M., Zanero S. Detecting intrusions through system call sequence and argument analysis. IEEE Transactions on Dependable and Secure Computing, 2010, vol. 7, iss. 4, pp. 381–395. https://doi.org/10.1109/TDSC.2008.69

Xie M., Hu J., Yu X., Chang E. Evaluating host-based anomaly detection systems: application of the frequency-based algorithms to ADFA-LD. Proceedings of 8^th International Conference on Network and System Security. Xian, China, 2014, pp. 542–549. https://doi.org/10.1007/978-3-319-11698-344

Xie M., Hu J., Slay J. Evaluating host-based anomaly detection systems: Application of the one-class SVM algorithm to ADFA-LD. International Conference on Fuzzy Systems and Knowledge Discovery (FSKD). Xiamen, China, 2014, pp. 978–982.

Creech G., Hu J. A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns. IEEE Transactions on Computers, 2014, vol. 63, iss. 4, pp. 807–819. https://doi.org/10.1109/TC.2013.13

Ikram Y. S., Madkour M. A. I. Enhanced host-based intrusion detection using system call traces. Journal of King Abdulaziz University (Computing and Information Technology Sciences), 2019, vol. 8, pp. 93–109.

Zhang Y., Luo S., Pan L., Zhang H. Syscall-BSEM: Behavioral semantics enhancement method of system call sequence for high accurate and robust host intrusion detection. Future Generation Computer Systems, 2021, vol. 125, pp. 112–126.

Osamor F., Wellman B. Deep learning-based hybrid model for efficient anomaly detection. International Journal of Advanced Computer Science and Applications, 2022, vol. 13, no. 4, pp. 975–979. https://doi.org/10.14569/IJACSA.2022.01304111

Anandapriya M., Lakshmanan B. Anomaly based host intrusion detection system using semantic based system call patterns. IEEE 9^th International Conference on Intelligent Systems and Control (ISCO). Coimbatore, India, 2015, pp. 1–4. https://doi.org/10.1109/ISCO.2015.7282244

Lu Y., Teng S. Application of sequence embedding in host-based intrusion detection system. IEEE 24^th International Conference on Computer Supported Cooperative Work in Design (CSCWD). Dalian, China, 2021, pp. 434–439.

Ouarda L., Bourenane M., Bouderah B. Towards a better similarity algorithm for host-based intrusion detection system. Journal of Intelligent Systems, 2023, vol. 32, no. 1, art. no. 20220259. https://doi.org/10.1515/jisys-2022-0259

Le T.-T.-H., Kim J., Kim H. An effective intrusion detection classifier using long short-term memory with gradient descent optimization. Proceedings of the 2017 International Conference on Platform Technology and Service (PlatCon). Busan, Korea, 2017, pp. 1–6. https://doi.org/10.1109/PlatCon.2017.7883684

Staudemeyer R. C., Omlin C. W. Evaluating performance of long short-term memory recurrent neural networks on intrusion detection data. Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference (SAICSIT 13). New York, ACM, 2013, pp. 218–224. https://doi.org/10.1145/2513456.2513490

Staudemeyer R. C. Applying long short-term memory recurrent neural networks to intrusion detection. South African Computer Journal, 2015, vol. 56. https://doi.org/10.18489/sacj.v56i1.248

Bontemps L., Cao V. L., McDermott J., Le-Khac N. A. Collective anomaly detection based on long short-term memory recurrent neural networks. Proceedings of 3^rd International Conference on Future Data and Security Engineering, Springer International Publishing, 2016, pp. 141–152. https://doi.org/10.1007/978-3-319-48057-29

Kim J., Kim J., Thu H. L. T., Kim H. Long short term memory recurrent neural network classifier for intrusion detection. International Conference on Platform Technology and Service (PlatCon), 2016, pp. 1–5. https://doi.org/10.1109/PlatCon.2016.7456805

Blei D. M., Kucukelbir A., McAuliffe J. D. Variational inference: A review for statisticians. Journal of the American Statistical Association, 2017, vol. 112, iss. 518, pp. 859–877. https://doi.org/10.1080/01621459.2017.1285773

Liu T. F., Ting K. M., Zhou Z.-H. Isolation forest. Proceedings of the 2008 Eighth IEEE International Conference on Data Mining. Pisa, Italy, 2008, pp. 413–422.

University of New Mexico (UNM) dataset for intrusion detection. Available at: https://www.cs.unm.edu/ immsec/data-sets.htm (accessed: August 15, 2022).

The ADFA Intrusion Detection Datasets. Available at: https://research.unsw.edu.au/projects/adfa-ids-datasets (accessed: September 10, 2023).

Yeung D. Y., Ding Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition, 2003, vol. 36, no. 1, pp. 229–243.

Wang W., Guan X. H., Zhang X. L. Modeling program behaviors by hidden Markov models for intrusion detection. Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. no. 04EX826). Shanghai, China, 2004, vol. 5, pp. 2830–2835.

Murtaza S. S., Khreich W., Hamou-Lhadj A., Gagnon S. A trace abstraction approach for host-based anomaly detection. 2015 IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA). Verona, 2015, pp. 1–8.

Borisaniya B., Patel D. Evaluation of modified vector space representation using ADFA-LD and ADFA-WD datasets. Journal of Information Security, 2015, vol. 6, no. 3, pp. 250–264.