1 / 30

Learning Rules from System Call Arguments and Sequences for Anomaly Detection

Explore the use of system call arguments in anomaly detection algorithms through LERAD. Experimental evaluation, variants of attributes, and comparisons with existing models.

lgarvey
Download Presentation

Learning Rules from System Call Arguments and Sequences for Anomaly Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandonand Philip Chan Department of Computer Sciences Florida Institute of Technology

  2. Overview • Related work in system call sequence-based systems • Problem Statement – Can system call arguments as attributes improve anomaly detection algorithms? • Approach • LERAD ( a conditional rule learning algorithm) • Variants of attributes • Experimental evaluation • Conclusions and future work

  3. Related Work • tide (time-delay embedding) Forrest et al, 1996 • stide (sequence time-delay embedding) Hofmeyr et al, 1999 • t-stide (stide with frequency threshold) Warrender et al, 1999 • Variable length sequence-based techniques (Wespi et al, 1999, 2000; Jiang et al, 2001) False Alarms !!

  4. Problem Statement Current models – system call sequences What else can we model? System call arguments open(“/etc/passwd”) open(“/users/readme”)

  5. Approach • Models based upon system calls • 3 sets of attributes - system call sequence • system call arguments • system call arguments + sequence • Adopt a rule learning approach - Learning Rules for Anomaly Detection (LERAD)

  6. Learning Rules for Anomaly Detection (LERAD) [Mahoney and Chan, 2003] A, B, and X are attributes a, b, x1, x2 are values to the corresponding attributes p - probability of observing a value not in the consequent r - cardinality of the set {x1, x2, …} in the consequent n - number of samples that satisfy the antecedent

  7. Overview of LERAD 4 steps involved in rule generation: • From a small training sample, generate candidate rules and associate probabilities with them • Coverage test to minimize the rule set • Update rules beyond the small training sample • Validating rules on a separate validation set

  8. Step 1a: Generate Candidate Rules • Two samples are picked at random (say S1 and S2) • Matching attributes A, B and C are picked in random order (say B, C and A) • These attributes are used to form rules with 0, 1, 2 conditions in the antecedent

  9. Step 1b: Generate Candidate Rules • Adding values to the consequent based on a subset of the training set (say S1-S3) • Probability estimate p associated with every rule when it is violated ( instead of in each rule) • Rules are sorted in increasing order of the p

  10. Step 2: Coverage Test • Obtain minimal set of rules

  11. Step 2: Coverage Test • Obtain minimal set of rules

  12. Step 3: Updating rules beyond the training samples • Extend rules to the entire training (minus validation) set (samples S1-S5)

  13. Step 4: Validating rules • Test the set of rules on the validation set (S6) • Remove rules that produce anomaly

  14. Step 4: Validating rules • Test the set of rules on the validation set (S6) • Remove rules that produce anomaly

  15. Learning Rules for Anomaly Detection (LERAD) Non-stationary model - only the last occurrence of an event is important t - time interval since the last anomalous event i - index of the rule violated

  16. Variants of attributes • 3 variants • S-LERAD: system call sequence • A-LERAD: system call arguments • M-LERAD: system call arguments + sequence

  17. S-LERAD • System call sequence-based LERAD • Samples comprising 6 contiguous system call tokens input to LERAD

  18. A-LERAD • Samples containing system call along with arguments • System call will always be a condition in the antecedent of the rule

  19. M-LERAD • Combination of system call sequences and arguments

  20. 1999 DARPA IDS Evaluation [Lippmann et al, 2000] • Week 3 – Training data (~ 2.1 million system calls) • Weeks 4 and 5 – Test Data (over 7 million system calls) • Total – 51 attacks on the Solaris host

  21. Experimental Procedures • Preprocessing the data: BSM audit log Applications Processes • Model per application • Merge all alarms Pj Pi Pk … Application 1 Application 2 Application N

  22. Evaluation Criteria • Attack detected if alarm generated within 60 seconds of occurrence of the attack • Number of attacks detected @ 10 false alarms/day • Time and storage requirements

  23. Detections vs. false alarms

  24. Percentage detections per attack type

  25. Comparison of CPU times

  26. Storage Requirements • More data extracted (system calls + arguments) – more space • Only during training – can be done offline • Small rule set vs. large database (stide, t-stide) • e.g. for tcsh application: 1.5 KB file for the set of rules (M-LERAD) 5 KB for sequence database (stide)

  27. Summary of contributions • Introduced argument information to model systems • Enhanced LERAD to form rules with system calls as pivotal attributes • LERAD with argument information detects more attacks than existing system call sequence based algorithms (tide, stide, t-stide). • Sequence + argument based system generally detected the most attacks with different false alarm rates • Argument information alone can be used effectively to detect attacks at lower false alarm rates • Less memory requirements during detection as compared to sequence based techniques

  28. Future Work • More $$$$$$$$$$

  29. Future Work • A richer representation More attributes - time between subsequent system calls • Anomaly score t-stide vs. LERAD

  30. Thank You

More Related