A Framework for Anomaly Detection in Time-Driven and Event-Driven Processes using Kernel Traces

Abstract

Model-checking and verification using Kripke structures and computational tree logic* (CTL*) use abstractions from the model/process/application to create the state-transition graphs that verify the model behavior. This scheme of profiling the performance of a process imports that the depth of the process operation correlates with the level abstraction. However, because of state explosion problems, these abstractions tend to restrict the scope to create manageable execution states. Therefore, for context modeling, this procedure does not generate a fine-grained behavioral model as generated states limit the ability of the abstraction to capture the execution time interactions amongst the processes, the hardware, and the kernel. Hence, in this paper, we present an end-to-end framework that comprises auto-encoders and probabilistic models to understand the behavior of system processes and detect deviant behaviors. We test this framework with a publicly available dataset generated from an autonomous aerial vehicle (UAV) application and the results show that by creating a fine-grained model that exploits previously unharnessed properties of the system calls, we can create a dynamic anomaly detection framework that evolves as the threats change.