Stacking ensemble-based HIDS framework for detecting anomalous system processes in Windows based operating systems using multiple word embedding

Abstract

Globally, more than 80% of end-user devices run on Microsoft’s Windows-based operating systems. Therefore, majority of the cyber-attack payloads are crafted explicitly for exploiting various vulnerabilities that exist across different software modules of Windows-based operating systems. To address this security issue, a stacking ensemble-based HIDS framework for detecting anomalous system processes is proposed in this paper. The proposed HIDS framework analyzes the process files comprising sequence of dll instruction calls made by various application and system processes to the Windows operating system’s kernel for detecting anomalous processes. The framework initially transforms the system process files comprising sequence of dll invocations into their corresponding n-gram feature vectors. It then uses two different state-of-the-art word embedding techniques namely, Word2Vec and GloVe to learn the contextual inter-dependencies between n-gram terms of the feature vectors, and generate fixed length word embedding vectors for each n-gram terms. These learned numeric word embedding vectors along with the n-gram feature vectors corresponding to the system process files are then provided as input to train an ensemble-based classifier model comprising LSTM, Bi-LSTM, GRU and Bi-GRU based base-level classifiers, and a fully connected neural network based meta-level classifier for classification of system process files as either normal or anomalous. The proposed HIDS framework is capable of detecting wide range of Windows-based attacks with high accuracy and precision. Experimental results show that the proposed HIDS framework achieves high accuracy and precision of 91.00% and 93.30%, respectively on the benchmark binary class Australian Defense Force Academy Windows Dataset (ADFA-WD) dataset. It also achieves an accuracy and precision of 68.70% and 67.80%, respectively on the multi-class ADFA-WD dataset, which are significantly higher than other similar HIDS frameworks proposed in the literature.