Sequences Of System Calls Research Articles

Risk-Based System-Call Sequence Grouping Method for Malware Intrusion Detection

Malware intrusion is a serious threat to cybersecurity; that is why new and innovative methods are constantly being developed to detect and prevent it. This research focuses on malware intrusion detection through the usage of system calls and machine learning. An effective and clearly described system-call grouping method could increase the various metrics of machine learning methods, thereby improving the malware detection rate in host-based intrusion-detection systems. In this article, a risk-based system-call sequence grouping method is proposed that assigns riskiness values from low to high based on function risk value. The application of the newly proposed grouping method improved classification accuracy by 23.4% and 7.6% with the SVM and DT methods, respectively, compared to previous results obtained on the same methods and data. The results suggest the use of lightweight machine learning methods for malware attack can ensure detection accuracy comparable to deep learning methods.

Stories from a Customized Honeypot for the IoT

<p>Since the inception of the Internet of Things (IoT), the security measures implemented on its devices have been too weak to ensure the appropriate protection of the data that they handle. Appealed by this, cybercriminals continuously seek out for vulnerable units to control, leading to attacks spreading through networks and infecting a high number of devices. On top of that, while the IoT has evolved to provide a higher degree of security, the techniques used by attackers have done so as well, which has led to the need of continuously studying the way in which these attacks are performed to gather significant knowledge for the development of the pertinent security measures. In view of this, we analyze the state of IoT attacks by developing a high-interaction honeypot for SSH and Telnet services that simulates a custom device with the ARM architecture. This study is carried out in two steps. Firstly, we analyze and classify the interaction between the attacker and the devices by clustering the commands that they sent in the compromised Telnet and SSH sessions. Secondly, we study the malware samples that are downloaded and executed in each session and classify them based on the sequence of system calls that they execute at runtime. In addition, apart from studying the active data generated by the attacker, we extract the information that is left behind after a connection with the honeypot by inspecting the metadata associated with it. In total, more than 1,578 malicious samples were collected after 9,926 unique IP addresses interacted with the system, with the most downloaded malware family being Hajime, with 70.5% of samples belonging to it, and also detecting others such as Mirai, Gafgyt, Dofloo and Xorddos.</p> <p> </p>

Designing Robust API Monitoring Solutions

Tracing the sequence of library calls and system calls that a program makes is very helpful to characterize its interactions with the surrounding environment and, ultimately, its semantics. However, due to the entanglements of real-world software stacks, accomplishing this task can be surprisingly challenging as we take accuracy, reliability, and transparency into the equation. In this article, we identify six challenges that API monitoring solutions should overcome in order to manage these dimensions effectively and outline actionable design points for building robust API tracers that can be used even for security research. We then detail and evaluate SNIPER, an open-source API tracing system available in two variants based on dynamic binary instrumentation (for simplified in-guest deployment) and hardware-assisted virtualization (realizing the first general user-space tracer of this kind), respectively.

VServiceInspector: Introspection-assisted evolutionary bag-of-ngram approach to detect malware in cloud servers

Cloud computing has become very popular and extremely demanding in the market. Several emerging technologies such as Industrial Internet of Things (IIoT), microservices and Bigdata analytics etc. are adopting cloud computing due to the availability of the high-end computing servers. However, security breaches have also started to grow along with its popularity. The advanced malware can target virtualization-based infrastructure and can harm virtual resources and thereby becoming threat to industrial applications & data hosted in cloud. The modern malware are difficult to be detected by using traditional security tools. In this paper, an introspection-assisted evolutionary bag-of-ngram approach is proposed, named as vServiceInspector for doing process monitoring from both inside the virtual machine (In-VM) & outside virtual machine (Out-VM). It employs advanced memory introspection to extract the system call sequences at Out-VM location (i.e. hypervisor). Genetic Algorithm (GA) is employed to find the most discriminating sequences of system calls and extract optimal feature set. Convolutional Neural Network (CNN), a deep learning algorithm is then used to learn and detect the malicious program execution patterns. An accuracy of 83.13%–99.63% is achieved by using University of New Mexico (UNM) dataset and an accuracy of 97.8%–99% is achieved by using University of California (Barecloud) dataset. The vServiceInspector is more accurate and more attack resilient when compared to previously proposed techniques.

Using Graph Representation in Host-Based Intrusion Detection

Cybersecurity has become an important part of our daily lives. As an important part, there are many researches on intrusion detection based on host system call in recent years. Compared to sentences, a sequence of system calls has unique characteristics. It contains implicit pattern relationships that are less sensitive to the order of occurrence and that have less impact on the classification results when the frequency of system calls varies slightly. There are also various properties such as resource consumption, execution time, predefined rules, and empirical weights of system calls. Commonly used word embedding methods, such as Bow, TI-IDF, N-Gram, and Word2Vec, do not fully exploit such relationships in sequences as well as conveniently support attribute expansion. To solve these problems, we introduce Graph Representation based Intrusion Detection (GRID), an intrusion detection framework based on graph representation learning. It captures the potential relationships between system calls to learn better features, and it is applicable to a wide range of back-end classifiers. GRID utilizes a new sequence embedding method Graph Random State Embedding (GRSE) that uses graph structures to model a finite number of sequence items and represent the structural association relationships between them. A more efficient representation of sequence embeddings is generated by random walks, word embeddings, and graph pooling. Moreover, it can be easily extended to sequences with attributes. Our experimental results on the AFDA-LD dataset show that GRID has an average improvement of 2% using the GRSE embedding method comparing to others.

AdvAndMal: Adversarial Training for Android Malware Detection and Family Classification

In recent years, Android malware has continued to evolve against detection technologies, becoming more concealed and harmful, making it difficult for existing models to resist adversarial sample attacks. At the current stage, the detection result is no longer the only criterion for evaluating the pros and cons of the model with its algorithms, it is also vital to take the model’s defensive ability against adversarial samples into consideration. In this study, we propose a general framework named AdvAndMal, which consists of a two-layer network for adversarial training to generate adversarial samples and improve the effectiveness of the classifiers in Android malware detection and family classification. The adversarial sample generation layer is composed of a conditional generative adversarial network called pix2pix, which can generate malware variants to extend the classifiers’ training set, and the malware classification layer is trained by RGB image visualized from the sequence of system calls. To evaluate the adversarial training effect of the framework, we propose the robustness coefficient, a symmetric interval i = [−1, 1], and conduct controlled experiments on the dataset to measure the robustness of the overall framework for the adversarial training. Experimental results on 12 families with the largest number of samples in the Drebin dataset show that the accuracy of the overall framework is increased from 0.976 to 0.989, and its robustness coefficient is increased from 0.857 to 0.917, which proves the effectiveness of the adversarial training method.

Intrusion Detection System Based on Integrated System Calls Graph and Neural Networks

Computer security is one of the main challenges of today's technological infrastructures, whereas intrusion detection systems are one of the most widely used technologies to secure computer systems. The intrusion detection systems use a variety of information sources, one of the most important sources are the applications' system calls. The intrusion detection systems use many different detection techniques, e.g. system calls sequences, text classification techniques and system calls graphs. However, existing techniques obtain poor results in the detection of complex attack patterns, so it is necessary to improve the detection results. This paper presents an intrusion detection system model that integrates multiple detection techniques into a single system with the goal of modeling the global behavior of the applications. In addition, the paper proposes a new modified system calls graph to integrate and represent the information of the different techniques in a single data structure. The system uses a deep neural network to combine the results of the different detection techniques used in the global model. The result of the study shows the improvement obtained in the detection results with respect to the use of individual techniques, the proposed model achieves higher detection rates and lower false positives. The proposal has been validated onto three datasets with different levels of complexity.

Detecting impersonation attacks in cloud computing environments using a centric user profiling approach

Cloud computing has become the most needed technology for the IT industry. Impersonation attacks are among the most dangerous threats that Clouds face. In this paper, we present an approach to detect masquerade attacks in Clouds. The efficient detection of these attacks should correlate user behaviors in distinct environments and also should apply to several deployment models. We present and evaluate three approaches to detect Impersonation and masquerade attacks. The first approach analyzes sequences of correlated system calls from the VMs operating systems, while the second analyzes the NetFlow data from the network environment. The third approach integrates these two approaches by using a neural network that will produce better detections than any of the first two approaches. To simplify the testing and the evaluation of the three methods, the Cloud Intrusion Detection Dataset (CIDD) is used as a source for cloud audits data. The evaluation has considered alternative deployment models through our two intrusion detection frameworks, CIDS and CIDS-VIRT. The paper also shows that the proposed detection approaches are more accurate and outperform the SWAD-MMD, a recent masquerade detection framework that works in the cloud computing systems. Furthermore, the paper details our experimental results and evaluates the computational performance and the detection accuracy of these approaches.

On the combination of data augmentation method and gated convolution model for building effective and robust intrusion detection

Deep learning (DL) has exhibited its exceptional performance in fields like intrusion detection. Various augmentation methods have been proposed to improve data quality and eventually to enhance the performance of DL models. However, the classic augmentation methods cannot be applied to those DL models which exploit the system-call sequences to detect intrusion. Previously, the seq2seq model has been explored to augment system-call sequences. Following this work, we propose a gated convolutional neural network (GCNN) model to thoroughly extract the potential information of augmented sequences. Also, in order to enhance the model’s robustness, we adopt adversarial training to reduce the impact of adversarial examples on the model. Adversarial examples used in adversarial training are generated by the proposed adversarial sequence generation algorithm. The experimental results on different verified models show that GCNN model can better obtain the potential information of the augmented data and achieve the best performance. Furthermore, GCNN with adversarial training can enhance robustness significantly.

The Impact of Different System Call Representations on Intrusion Detection

Abstract Over the years, artificial neural networks have been applied successfully in many areas including IT security. Yet, neural networks can only process continuous input data. This is particularly challenging for security-related, non-continuous data like system calls of an operating system. This work focuses on five different options to preprocess sequences of system calls so that they can be processed by neural networks. These input options are based on one-hot encodings and learning word2vec, GloVe or fastText representations of system calls. As an additional option, we analyse if mapping system calls to their respective kernel modules is an adequate generalization step for (i) replacing system calls or (ii) enhancing system call data with additional information regarding their context. When performing such preprocessing steps it is important to ensure that no relevant information is lost during the process. The overall objective of system call analysis in the context of IT security is to categorize a sequence of them as benign or malicious behavior. Therefore, this scenario is used to evaluate different system call representations in a classification task. Results indicate that a broader range of attacks can be detected when enriching system call representations with corresponding kernel module information. Prior learning of embeddings does not achieve significant improvements. This work is an extension of the work by Wunderlich et al. [1] published in Advances in Intelligent Systems and Computing (AISC, volume 951).

Natural Language Processing based Anomalous System Call Sequences Detection with Virtual Memory Introspection

Malware has become a significant problem for the security of computers in this scientific era. Nowadays, machine learning techniques are applied to find anomalous activities in computers especially in virtualization environments. Identifying anomalous activities in virtual machines with virtual memory introspector and analyzing data with machine learning techniques are need of current trend. In this paper, an anomaly detection method is implemented using Natural Language Processing (NLP) based on Bags of System Calls (BoSC) for learning the behavior of applications on Windows virtual machines running on Xen hypervisor. During this process, system call traces are extracted from normal applications (benign processes) and malware affected applications (malicious processes) with the help of virtual memory introspection. Preprocessing of extracted system call sequences is done to obtain valid system call sequences through filtering and ordering of redundant system calls. Further, analysis of behavior of system call sequences is carried out with NLP based anomaly detection techniques. During this process, Cosine Similarity Algorithm (Co-Sim) is applied to identify malicious processes running on a VM. Apart from this, Point Detection Algorithm is applied to precisely locate the point of compromise in the system call sequences. The results shown in this paper indicates that both of these algorithms detect anomalies in the running processes with 99% accuracy.

P-Gaussian: Provenance-Based Gaussian Distribution for Detecting Intrusion Behavior Variants Using High Efficient and Real Time Memory Databases

It is increasingly important and a big challenge to detect intrusion behavior variants in today's world. Previous host-based intrusion detection methods typically explore the sequence of system calls or unix shell commands to detect the intrusion behavior. This article abstracts the detection of intrusion behavior variants as the comparison between different sequences when the sequence order or length transforms. To overcome the impact of sequence transformation on the detection accuracy, we propose P-Gaussian, a provenance-based Gaussian distribution detection scheme which comprises two key design features: (1) it utilizes provenance to describe and identify intrusion behavior variants, and eliminates the impact of sequence order transformation on the detection accuracy. (2) it adopts Gaussian distribution principle to accurately compute the similarity between intrusion behavior and its variant, and eliminates the impact of intrusion behavior sequence length increase on the detection accuracy. To improve the detection performance, P-Gaussian employs a Redis memory database with multiple Redis instances and multiple threads to enable the parallelism of provenance processing in multi-core environments. It also classifies hot and cold provenance to provide high-efficient long-term forensic analysis. Experimental results on widely-used real world applications demonstrate the performance and efficiency of our system.

Detecting Anomalous Behavior in Cloud Servers by Nested-Arc Hidden SEMI-Markov Model with State Summarization

Anomaly detection for cloud servers is important for detecting zero-day attacks. However, it is very challenging due to the large amount of accumulated data. In this paper, a new mathematical model for modeling dynamic usage behavior and detecting anomalies is proposed. It is constructed using state summarization and a novel nested-arc hidden semi-Markov model (NAHSMM). State summarization is designed to extract usage behavior reflective states from a raw sequence. The NAHSMM is comprised of exterior and interior hidden Markov chains. The exterior controls the propagation of raw sequences of system calls and, conditional on it, the interior one controls the summarized observation process from the transition less usage behavior reflective states. An anomaly detection algorithm is derived by integrating state summarization and NAHSMM. During training the algorithm is assisted by a forensic module to tune the behavioral threshold. Experimental data is collected using IXIA Perfect Storm in conjunction with the commercial security-test hardware platform cyber range. To evaluate the reliability of the proposed model, first, its accuracy and training costs are compared with those of existing machine-learning models and then its scalability and resistance capabilities are tested. The results indicate that this model could be used as a method for detecting anomalies in cloud servers.

Sequence Covering for Efficient Host-Based Intrusion Detection

This paper introduces a new similarity measure, the covering similarity, which we formally define for evaluating the similarity between a symbolic sequence and a set of symbolic sequences. A pairwise similarity can also be directly derived from the covering similarity to compare two symbolic sequences. An efficient implementation to compute the covering similarity is proposed which uses a suffix-tree data structure, but other implementations, based on suffix array for instance, are possible and are possibly necessary for handling very large-scale problems. We have used this similarity to isolate attack sequences from normal sequences in the scope of host-based intrusion detection. We have assessed the covering similarity on two well-known benchmarks in the field. In view of the results reported on these two datasets for the state-of-the-art methods, according to the comparative study, we have carried out based on three challenging similarity measures commonly used for string processing, or in bioinformatics, we show that the covering similarity is particularly relevant to address the detection of anomalies in sequences of system calls.

SWORD: Semantic aWare andrOid malwaRe Detector

Malicious android applications have become more advanced and severe threat to user privacy, confidentiality, integrity, money, and device. The process of malware evolution mainly consists of modifications to existing malware using repackaging of apps employing polymorphism, metamorphism and injecting malicious code. The existing dynamic approaches can handle polymorphism, metamorphism and repacking of apps but failed to address code injection at runtime, as it modifies the control/data flow. In this paper, we present a semantic aware dynamic malware detection tool, SWORD. It encapsulates the semantics of Android apps in such a way that makes it resilient towards injection-based evasion techniques. The intuition behind specifying the semantics of apps lies in applying Asymptotic Equipartition Property (AEP) inherited from information theory domain. The semantics of the app are captured using a sequence of system-calls. To assess the efficacy of SWORD, we carried out comprehensive experiments on 6000 execution traces of 2000 applications (1000 malware apps belonging to 119 different families and 1000 benign apps, selected randomly from 12,000 Google Play store apps). We obtain a detection accuracy of 94.2%. Moreover, we show that SWORD can cope with the code injection based evasion techniques.

A novel pattern recognition system for detecting Android malware by analyzing suspicious boot sequences

This paper introduces a malware detection system for smartphones based on studying the dynamic behavior of suspicious applications. The main goal is to prevent the installation of the malicious software on the victim systems. The approach focuses on identifying malware addressed against the Android platform. For that purpose, only the system calls performed during the boot process of the recently installed applications are studied. Thereby the amount of information to be considered is reduced, since only activities related with their initialization are taken into account. The proposal defines a pattern recognition system with three processing layers: monitoring, analysis and decision-making. First, in order to extract the sequences of system calls, the potentially compromised applications are executed on a safe and isolated environment. Then the analysis step generates the metrics required for decision-making. This level combines sequence alignment algorithms with bagging, which allow scoring the similarity between the extracted sequences considering their regions of greatest resemblance. At the decision-making stage, the Wilcoxon signed-rank test is implemented, which determines if the new software is labeled as legitimate or malicious. The proposal has been tested in different experiments that include an in-depth study of a particular use case, and the evaluation of its effectiveness when analyzing samples of well-known public datasets. Promising experimental results have been shown, hence demonstrating that the approach is a good complement to the strategies of the bibliography.

Intrusion Prediction With System-Call Sequence-to-Sequence Model

The advanced development of the Internet facilitates efficient information exchange while also been exploited by adversaries. Intrusion detection system is an important defense component of network security that has always been widely studied in security research. However, the research of intrusion prediction, which is more critical for network security, received less attention. General research methods regarding prediction are analyzing short term of system-calls to predict forthcoming abnormal behaviors. However, those approaches have poor accuracy due to their limited sequence dependency. To solve this problem, in this paper, we take advantage of the remarkable performance of recurrent neural networks in dealing with long sequential problems, introducing the sequence-to-sequence model into our intrusion prediction work. By semantically modeling system-calls, we build a robust system-call sequence-to-sequence prediction model. Our prediction model predicts a sequence of system-calls that will be executed in the future, which will enable the monitoring of system state and the prediction of attack behavior. The experiments show that the prediction method proposed in this paper achieved well prediction performance on ADFA-LD intrusion detection test data set. Moreover, the predicted sequence, combined with the known invoked traces of system call, significantly improves the performance of intrusion detection verified on various classifiers.

A Security Monitoring Framework For Virtualization Based HEP Infrastructures

High Energy Physics (HEP) distributed computing infrastructures require automatic tools to monitor, analyze and react to potential security incidents. These tools should collect and inspect data such as resource consumption, logs and sequence of system calls for detecting anomalies that indicate the presence of a malicious agent. They should also be able to perform automated reactions to attacks without administrator intervention. We describe a novel framework that accomplishes these requirements, with a proof of concept implementation for the ALICE experiment at CERN. We show how we achieve a fully virtualized environment that improves the security by isolating services and Jobs without a significant performance impact. We also describe a collected dataset for Machine Learning based Intrusion Prevention and Detection Systems on Grid computing. This dataset is composed of resource consumption measurements (such as CPU, RAM and network traffic), logfiles from operating system services, and system call data collected from production Jobs running in an ALICE Grid test site and a big set of malware samples. This malware set was collected from security research sites. Based on this dataset, we will proceed to develop Machine Learning algorithms able to detect malicious Jobs.

Empirical Evaluation of a System Call-Based Android Malware Detector

The extensive use of smartphones and increased popularity of Android operating system have proliferated in malware attacks. In order to overcome these malicious attacks, numerous malware detectors are now available and have been described in various literature. A majority of detectors rely on system calls, as these are non-bypassable interface for user applications to system services. In order to defeat the system call-based detectors, an adversary usually deploys mimicry attack (see Section 5.2) through which a sequence of system calls are injected into malicious apps to alter the actual sequence. It is evident that signature-based detectors result in high false alarm rate, due to such mimicry attacks. Therefore, in this paper, we propose a non-signature-based malware detector, that is not vulnerable to mimicry attack, by keeping the false alarm rate very low. In the present work, two different environment settings have been created for monitoring the deviation in the behaviour of synthetic user events, against those of real ones, through application executions. Feature selection was carried out by employing “Scatter Assessment” method on 2100 apps. Extensive experimentation has been carried out to select a concise set of features. The proposed method selects features in such a way, that it minimizes and maximizes the intra- and inter-class variances, respectively. Such a variance optimization allows us to evade mimicry attacks. The method has been validated for effectiveness and applicability, by means of two different datasets comprising of real samples. An area under curve of 1.0 with accuracy in the range of 99.8–100% was obtained, proving the efficacy of the proposed malware scanner.

Malware Detection in Mobile Devices by Analyzing Sequences of System Calls

Malware Detection in Mobile Devices by Analyzing Sequences of System Calls