Windows Based Data Sets for Evaluation of Robustness of Host Based Intrusion Detection Systems (IDS) to Zero-Day and Stealth Attacks

Haider, Waqas; Creech, Gideon; Xie, Yi; Hu, Jiankun

doi:10.3390/fi8030029

Cited by 54 publications

(40 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Larger Cross-evaluation. We emphasize that comparing UNI-CORN with other existing IDS (most of which are syscallbased) is difficult for several reasons: A) many IDS are not open-source; B) existing public IDS datasets are either outdated [4], [85] or require a translation [28], [50], [51] from, e.g., syscall traces to data provenance, which is challenging and sometimes impossible (due to lack of information); C) systems that create their own private datasets only superficially describe their experimental procedures, making it difficult to fairly reproduce the experiments for provenance data. We believe that such a meta-study is a worthwhile endeavor that we plan to pursue in future work.…”

Section: Discussion and Limitationsmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

157

111

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: Discussion and Limitationsmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

157

111

View full text Add to dashboard Cite

show abstract

“…The peak of cyber-attack traffic launched by a huge number of Mirai-infected IoT devices reached 620 Gbps [2]. There were 10,263 botnets hosted in different IoT devices identified in 2018 [3]. Another distributed denial of services (DDoS) attack from compromised IoT devices, called "IoTroop," was discovered by Check Point in 2017 [4].…”

Section: Intrusion Detection System (Ids)mentioning

confidence: 99%

“…How to implement a lightweight and efficient detection system in the IoT environment has become a crucially important issue. The IDS on fog computing [24] was introduced using new modern datasets, namely Australian Defence Force Academy Linux Dataset (ADFA-LD) and ADFA-Windows Dataset (ADFA-WD) [3,25]. This work [24] also used Raspberry Pi to evaluate the performance of attack detecting model.…”

Section: Raspberry Pi-based Idsmentioning

confidence: 99%

Towards a Lightweight Detection System for Cyber Attacks in the IoT Environment Using Corresponding Features

et al. 2020

View full text Add to dashboard Cite

The application of a large number of Internet of Things (IoT) devices makes our life more convenient and industries more efficient. However, it also makes cyber-attacks much easier to occur because so many IoT devices are deployed and most of them do not have enough resources (i.e., computation and storage capacity) to carry out ordinary intrusion detection systems (IDSs). In this study, a lightweight machine learning-based IDS using a new feature selection algorithm is designed and implemented on Raspberry Pi, and its performance is verified using a public dataset collected from an IoT environment. To make the system lightweight, we propose a new algorithm for feature selection, called the correlated-set thresholding on gain-ratio (CST-GR) algorithm, to select really necessary features. Because the feature selection is conducted on three specific kinds of cyber-attacks, the number of selected features can be significantly reduced, which makes the classifiers very small and fast. Thus, our detection system is lightweight enough to be implemented and carried out in a Raspberry Pi system. More importantly, as the really necessary features corresponding to each kind of attack are exploited, good detection performance can be expected. The performance of our proposal is examined in detail with different machine learning algorithms, in order to learn which of them is the best option for our system. The experiment results indicate that the new feature selection algorithm can select only very few features for each kind of attack. Thus, the detection system is lightweight enough to be implemented in the Raspberry Pi environment with almost no sacrifice on detection performance.

show abstract

“…However, ADFA family datasets only have minimal data required for intrusion detection, as they contain only system call identification-system dynamic link library (dll) file name and the called function name. Even the authors of the ADFA-IDS agree that the dataset is incomplete: only basic information was collected, and an insufficient number of vulnerabilities were used to generate malicious activity [13].…”

Section: Introductionmentioning

confidence: 99%

Evaluation of Deep Learning Methods Efficiency for Malicious and Benign System Calls Classification on the AWSCTD

Čeponis

Goranin

2019

Security and Communication Networks

View full text Add to dashboard Cite

The increasing amount of malware and cyberattacks on a host level increases the need for a reliable anomaly-based host IDS (HIDS) that would be able to deal with zero-day attacks and would ensure low false alarm rate (FAR), which is critical for the detection of such activity. Deep learning methods such as convolutional neural networks (CNNs) and recurrent neural networks (RNNs) are considered to be highly suitable for solving data-driven security solutions. Therefore, it is necessary to perform the comparative analysis of such methods in order to evaluate their efficiency in attack classification as well as their ability to distinguish malicious and benign activity. In this article, we present the results achieved with the AWSCTD (attack-caused Windows OS system calls traces dataset), which can be considered as the most exhaustive set of host-level anomalies at the moment, including 112.56 million system calls from 12110 executable malware samples and 3145 benign software samples with 16.3 million system calls. The best results were obtained with CNNs with up to 90.0% accuracy for family classification and 95.0% accuracy for malicious/benign determination. RNNs demonstrated slightly inferior results. Furthermore, CNN tuning via an increase in the number of layers should make them practically applicable for host-level anomaly detection.

show abstract

Windows Based Data Sets for Evaluation of Robustness of Host Based Intrusion Detection Systems (IDS) to Zero-Day and Stealth Attacks

Cited by 54 publications

References 17 publications

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Towards a Lightweight Detection System for Cyber Attacks in the IoT Environment Using Corresponding Features

Evaluation of Deep Learning Methods Efficiency for Malicious and Benign System Calls Classification on the AWSCTD

Contact Info

Product

Resources

About