AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes

AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes

Abstract

Targeted attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. With the rising prominence of advanced persistent threats (APTs), identifying and understanding such attacks has become increasingly important. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. In this article we propose AIDIS, an Advanced Intrusion Detection and Interpretation System capable to explain anomalous behavior within a network-enabled user session by considering kernel event anomalies identified through their deviation from a set of baseline process graphs. For this purpose we adapt star structures, a bipartite representation used to approximate the edit distance between two graphs. Baseline templates are generated automatically and adapt to the nature of the respective operating system process. We prototypically implemented smart anomaly classification through a set of competency questions applied to graph template deviations and evaluated the approach using both Random Forest and linear kernel support vector machines. The determined attack classes are ultimately mapped to a dedicated APT attacker/defender meta model that considers actions, actors, as well as assets and mitigating controls, thereby enabling decision support and contextual interpretation of ongoing attacks.

Grafik Top
Authors
  • Luh, Robert
  • Janicke, Helge
  • Schrittwieser, Sebastian
Grafik Top
Shortfacts
Category
Journal Paper
Divisions
Security and Privacy
Subjects
Computersicherheit
Angewandte Informatik
Journal or Publication Title
Computers & Security
ISSN
0167-4048
Publisher
Elsevier Advanced Technology
Page Range
pp. 120-147
Volume
84
Date
2019
Official URL
https://www.sciencedirect.com/science/article/pii/...
Export
Grafik Top