Towards Ground Truthing Observations in Gray-Box Anomaly Detection
Anomaly detection has been attracting interests from researchers due to its advantage of being able to detect zero-day exploits. A gray-box anomaly detector first observes benign executions of a computer program and then extracts reliable rules that govern the normal execution of the program. Howeve...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2011
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/2006 https://ink.library.smu.edu.sg/context/sis_research/article/3005/viewcontent/nss11.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-3005 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-30052020-01-26T08:10:23Z Towards Ground Truthing Observations in Gray-Box Anomaly Detection MING, Jiang ZHANG, Haibin GAO, Debin Anomaly detection has been attracting interests from researchers due to its advantage of being able to detect zero-day exploits. A gray-box anomaly detector first observes benign executions of a computer program and then extracts reliable rules that govern the normal execution of the program. However, such observations from benign executions are not necessarily true evidences supporting the rules learned. For example, the observation that a file descriptor being equal to a socket descriptor should not be considered supporting a rule governing the two values to be the same. Ground truthing such observations is a difficult problem since it is not practical to analyze the semantics of every instruction in every program to be protected. In this paper, we propose using taint analysis to automatically help the ground truthing. Intuitively, the same taint source of two values provides ground truth of the data dependence. We implement a host-based anomaly detector with our proposed taint tracking and evaluate the accuracy of rules learned. Results show that we not only manage to filter out incorrect rules that would otherwise be learned (with high support and confidence), but manage recover good rules that are previously believed to be unreliable. We also present overheads of our system and time needed for training. 2011-09-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/2006 info:doi/10.1109/ICNSS.2011.6059956 https://ink.library.smu.edu.sg/context/sis_research/article/3005/viewcontent/nss11.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University anomaly detection taint analysis system call monitor ground truthing Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
anomaly detection taint analysis system call monitor ground truthing Information Security |
| spellingShingle |
anomaly detection taint analysis system call monitor ground truthing Information Security MING, Jiang ZHANG, Haibin GAO, Debin Towards Ground Truthing Observations in Gray-Box Anomaly Detection |
| description |
Anomaly detection has been attracting interests from researchers due to its advantage of being able to detect zero-day exploits. A gray-box anomaly detector first observes benign executions of a computer program and then extracts reliable rules that govern the normal execution of the program. However, such observations from benign executions are not necessarily true evidences supporting the rules learned. For example, the observation that a file descriptor being equal to a socket descriptor should not be considered supporting a rule governing the two values to be the same. Ground truthing such observations is a difficult problem since it is not practical to analyze the semantics of every instruction in every program to be protected. In this paper, we propose using taint analysis to automatically help the ground truthing. Intuitively, the same taint source of two values provides ground truth of the data dependence. We implement a host-based anomaly detector with our proposed taint tracking and evaluate the accuracy of rules learned. Results show that we not only manage to filter out incorrect rules that would otherwise be learned (with high support and confidence), but manage recover good rules that are previously believed to be unreliable. We also present overheads of our system and time needed for training. |
| format |
text |
| author |
MING, Jiang ZHANG, Haibin GAO, Debin |
| author_facet |
MING, Jiang ZHANG, Haibin GAO, Debin |
| author_sort |
MING, Jiang |
| title |
Towards Ground Truthing Observations in Gray-Box Anomaly Detection |
| title_short |
Towards Ground Truthing Observations in Gray-Box Anomaly Detection |
| title_full |
Towards Ground Truthing Observations in Gray-Box Anomaly Detection |
| title_fullStr |
Towards Ground Truthing Observations in Gray-Box Anomaly Detection |
| title_full_unstemmed |
Towards Ground Truthing Observations in Gray-Box Anomaly Detection |
| title_sort |
towards ground truthing observations in gray-box anomaly detection |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2011 |
| url |
https://ink.library.smu.edu.sg/sis_research/2006 https://ink.library.smu.edu.sg/context/sis_research/article/3005/viewcontent/nss11.pdf |
| _version_ |
1770571765661040640 |