AIDIS: Detecting and Classifying Anomalous Behavior in UbiquitousKernel Processes
Targeted attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. With the rising prominence of advanced persistent threats (APTs), identifying and under-standing such attacks has become increasingly important. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst.In this article we propose AIDIS, an Advanced Intrusion Detection and Interpretation System capable to explain anomalous behavior within a network-enabled user session by considering kernel event anomalies identified through their deviation from a set of baseline process graphs. For this purpose we adapt star-structures, a bipartite representation used to approximate the edit distance be-tween two graphs. Baseline templates are generated automatically and adapt to the nature of the respective operating system process.We prototypically implemented smart anomaly classification through a set of competency questions applied to graph template deviations and evaluated the approach using both Random Forest and linear kernel support vector machines.The determined attack classes are ultimately mapped to a dedicated APT at-tacker/defender meta model that considers actions, actors, as well as assets and mitigating controls, thereby enabling decision support and contextual interpretation of ongoing attacks
The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.
Citation : Luh, R., Janicke, H. and Schrittwieser, S. (2019) AIDIS: Detecting andClassifying Anomalous Behavior in Ubiquitous Kernel Processes,Computers & Security, 84, pp. 120-147
Research Institute : Cyber Technology Institute (CTI)
Peer Reviewed : Yes