基于集成学习的系统调用实时异常检测框架

doi:10.19678/j.issn.1000-3428.0065643

摘要/Abstract

摘要： 基于系统调用数据的异常检测无法完成进程生命周期内的入侵行为同步感知任务，且存在实时异常检测准确率低的问题。提出一个基于集成学习的系统调用实时异常检测框架，其中包括数据处理与切片、集成学习、异常检测与反馈模块。在数据处理与切片模块中，对处于生命周期内的进程行为轨迹进行采集与分析，根据线上待分析数据与线下模型训练数据对时效性的不同要求，设计2种系统调用轨迹的切分策略；在集成学习模块中，改进GPT语言模型和门控循环神经单元用于构建系统调用轨迹片段行为轮廓，以集成学习思想融合异常检测异构模型同时抓取单向语义特征与统计特征；在异常检测与反馈模块中，采用考虑单个系统调用重要度的异常判决方法，引入同步感知与实时裁决共存的异常预警机制。在公开数据集上的实验结果表明，该框架具有进程生命周期内的入侵同步感知能力，所构建的集成模型在保证低误报率（0.2%）的同时具有高异常检测准确率（99.3%），优于决策树模型、单分类SVM、BiLSTM等对比模型。

关键词: 异常检测, 系统调用, 主机入侵检测, 集成学习, 半监督学习

Abstract: Anomaly detection based on system calls data cannot complete the synchronous perception task of intrusion behavior within the process lifecycle，and there is a problem of low real-time anomaly detection accuracy. We proposes a real-time anomaly detection framework for system calls based on integrated learning，which includes data processing and slicing，integrated learning，anomaly detection and feedback modules. In the data processing and slicing module，the process behavior trajectories are collected and analyzed within the lifecycle.Based on the different requirements for timeliness of online and offline model training data，two segmentation strategies are designed for system calls trajectories；in the integrated learning module，the improved GPT language model and Gated Recurrent Unit（GRU） are used to construct the behavior profile of system calls trajectory fragments，and the integrated learning idea is used to fuse anomaly detection heterogeneous models while capturing unidirectional semantic and statistical features；in the anomaly detection and feedback module，an anomaly detection method that considers the importance of individual system calls is adopted，and an anomaly warning mechanism that coexists with synchronous perception and real-time decision-making is introduced.The experimental results on public datasets show that the framework has the ability to detect intrusion synchronization throughout the process lifecycle. The constructed integrated model ensures a low false alarm rate（0.2%） while maintaining a high anomaly detection accuracy（99.3%），which is superior to comparison models such as Decision Tree（DT），one-class SVM， and BiLSTM models.

Key words: anomaly detection, system calls, host intrusion detection, integrated learning, semi-supervised learning

中图分类号:

TP309.1

陈仲磊, 伊鹏, 陈祥, 胡涛. 基于集成学习的系统调用实时异常检测框架[J]. 计算机工程, 2023, 49(6): 162-169,179.

CHEN Zhonglei, YI Peng, CHEN Xiang, HU Tao. Real-time Anomaly Detection Framework via System Calls Based on Integrated Learning[J]. Computer Engineering, 2023, 49(6): 162-169,179.

http://www.ecice06.com/CN/Y2023/V49/I6/162

图/表 12

20230615165634

20230615165637

20230615165640

20230615165644

20230615165647

20230615165650

20230615165654

20230615165657

20230615165701

20230615165704

20230615165710

20230615165714

参考文献

[1] UNNISA A N,YERVA M,M Z K.Review on Intrusion Detection System(IDS) for network security using machine learning algorithms[J].International Research Journal on Advanced Science Hub,2022,4(3):67-74.
[2] JEWELL B,BEAVER J.Host-based data exfiltration detection via system call sequences[C]//Proceedings of the 6th International Conference on Information Warfare and Security.Washington D.C.,USA:IEEE Press,2011:134-142.
[3] HOFMEYR S A,FORREST S,SOMAYAJI A.Intrusion detection using sequences of system calls[J].Journal of Computer Security,1998,6(3):151-180.
[4] XIE M,HU J K.Evaluating host-based anomaly detection systems:a preliminary analysis of ADFA-LD[C]//Proceedings of the 6th International Congress on Image and Signal Processing.Washington D.C.,USA:IEEE Press,2014:1711-1716.
[5] XIE M,HU J K,SLAY J.Evaluating host-based anomaly detection systems:application of the one-class SVM algorithm to ADFA-LD[C]//Proceedings of the 11th International Conference on Fuzzy Systems and Knowledge Discovery.Washington D.C.,USA:IEEE Press,2014:978-982.
[6] XIE M,HU J K,YU X H,et al.Evaluating host-based anomaly detection systems:application of the frequency-based algorithms to ADFA-LD[C]//Proceedings of International Conference on Network and System Security.Berlin,Germany:Springer,2014:542-549.
[7] HAIDER W,HU J K,XIE M.Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems[C]//Proceedings of the 10th IEEE Conference on Industrial Electronics and Applications.Washington D.C.,USA:IEEE Press,2015:513-517.
[8] KOLOSNJAJI B,ZARRAS A,WEBSTER G,et al.Deep learning for classification of malware system call sequences[C]//Proceedings of the 29th Australasian Joint Conference on Artificial Intelligence.Berlin,Germany:Springer,2016:137-149.
[9] CHAWLA A,LEE B,FALLON S,et al.Host based intrusion detection system with combined CNN/RNN model[C]//Proceedings of Joint European Conference on Machine Learning and Knowledge Discovery in Databases.Berlin,Germany:Springer,2018:149-158.
[10] ZHANG Y,LUO S,PAN L,et al.Syscall-BSEM:behavioral semantics enhancement method of system call sequence for high accurate and robust host intrusion detection[J].Future Generation Computer Systems,2021,125:112-126.
[11] RADFORD A,NARASIMHAN K,SALIMANS T,et al.Improving language understanding by generative pre-training[EB/OL].[2022-05-10].https://www.semanticscholar.org/paper/Improving-Language-Understanding-by-Generative-Radford-Narasimhan/cd18800a0fe0b668a1cc19f2ec95b5003d0a5035.
[12] FORREST S,HOFMEYR S A,SOMAYAJI A,et al.A sense of self for UNIX processes[C]//Proceedings of 1996 IEEE Symposium on Security and Privacy.Washington D.C.,USA:IEEE Press,2002:120-128.
[13] BROWN P,BROWN A,GUPTA M,et al.Online malware classification with system-wide system calls in cloud IaaS[C]//Proceedings of the 23rd IEEE International Conference on Information Reuse and Integration for Data Science.Washington D.C.,USA:IEEE Press,2022:146-151.
[14] WUNDERLICH S,RING M,LANDES D,et al.The impact of different system call representations on intrusion detection[J].Logic Journal of the IGPL,2022,30(2):239-251.
[15] XIE W Q,XU S W,ZOU S H,et al.A system-call behavior language system for malware detection using a sensitivity-based LSTM model[C]//Proceedings of the 3rd International Conference on Computer Science and Software Engineering.New York,USA:ACM Press,2020:112-118.
[16] MELVIN A A R,KATHRINE G J W,PASUPATHI S,et al.An AI powered system call analysis with bag of word approaches for the detection of intrusions and malware in Australian Defence Force Academy and virtual machine monitor malware attack data set[J].Expert Systems,2022:e13029.
[17] CASOLARE R,DE DOMINICIS C,IADAROLA G,et al.Dynamic mobile malware detection through system call-based image representation[J].Journal of Wireless Mobile Networks,Ubiquitous Computing,and Dependable Applications,2021,12(1):44-63.
[18] MORA-GIMENO F J,MORA-MORA H,VOLCKAERT B,et al.Intrusion detection system based on integrated system calls graph and neural networks[J].IEEE Access,2021,9:9822-9833.
[19] MANOHARAN S,SUGUMARAN P,KUMAR K.Multichannel based IoT malware detection system using system calls and opcode sequences[J].International Arab Journal of Information Technology,2022,19(2):261-271.
[20] IACOVAZZI A,RAZA S.Ensemble of random and isolation forests for graph-based intrusion detection in containers[C]//Proceedings of IEEE International Conference on Cyber Security and Resilience.Washington D.C.,USA:IEEE Press,2022:30-37.
[21] WANG Y L,CHEN X S,WANG Q X,et al.Unsupervised anomaly detection for container cloud via BILSTM-based variational auto-encoder[C]//Proceedings of IEEE International Conference on Acoustics,Speech and Signal Processing.Washington D.C.,USA:IEEE Press,2022:3024-3028.
[22] LV S H,WANG J,YANG Y Q,et al.Intrusion prediction with system-call sequence-to-sequence model[J].IEEE Access,2018,6:71413-71421.
[23] 陈兴蜀,金逸灵,王玉龙,等.基于长短期记忆神经网络的容器内进程异常行为检测[J].电子学报,2021,49(1):149-156.CHEN X S,JIN Y L,WANG Y L,et al.Anomaly detection of processes behavior in container based on LSTM neural network[J].Acta Electronica Sinica,2021,49(1):149-156.(in Chinese)
[24] VASWANI A,SHAZEER N,PARMAR N,et al.Attention is all you need[C]//Proceedings of the 31st International Conference on Neural Information Processing Systems.New York,USA:ACM Press,2017:6000-6010.
[25] 李橙,罗森林.基于系统调用行为相似性聚类的主机入侵检测方法研究[J].信息安全研究,2021,7(9):828-835.LI C,LUO S L.Research on host intrusion fetection method based on system call behavior similarity clustering[J].Journal of Information Security Research,2021,7(9):828-835.(in Chinese)

选择文件类型/文献管理软件名称

选择包含的内容