Host anomalies detection using autoencoders

A. Gurina, O. Guzev, V. Eliseev

Abstract


Traditional intrusion detection tools deal well with detecting known computer attacks but it is not enough to detect zero-day attacks. Improving computer security can be achieved by using a set of measures: signature analysis and anomaly detection. This article proposes a method for detecting abnormal Windows hosts events. The fundamental idea of the method is to build a model of normal host behavior using neural networks (autoencoders). The normal host behavior model is used to analyze the degree of abnormality of new host events. The method uses two autoencoders of different architectures to analyze events divided into two groups. The way of events digitization for groups is different. The anomaly criterion for a new event is the excess of Immediate Reconstruction Error (IRE) threshold. IRE threshold is calculated separately for each autoencoder at the training stage. The effectiveness of the method is confirmed by means of detecting malicious use of Windows system utilities and other atypical and suspicious Windows events. The article describes in detail: the algorithm for detecting abnormal Windows events, events digitization methods, neural networks architecture, the anomaly criterion and quality criteria of trained neural networks and the advantages and disadvantages of the proposed anomaly detection method.


Full Text:

PDF (Russian)

References


Positive Technologies. Kiberbezopasnost' 2019-2020. Trendy i prognozy. [V Internete] 19 Dekabrja 2019 g. [Citirovano: 13 Janvarja 2020 g.] https://www.ptsecurity.com/ru-ru/research/analytics/cybersecurity-2019-2020/#id3-3.

Lavrent'ev, Andrej. MLAD: obnaruzhenie anomalij metodami mashinnogo obuchenija. Laboratorija Kasperskogo. [V Internete] 2018 g. [Citirovano: 13 Janvarja 2020 g.] https://ics-cert.kaspersky.ru/reports/2018/01/16/mlad-machine-learning-for-anomaly-detection/.

Gamajunov, Denis Jur'evich. Obnaruzhenie komp'juternyh atak na osnove analiza povedenija setevyh ob"ektov. MGU im. M.V. Lomonosova. 2007.

Daboubi, Walid. Anomaly detection with autoencoder neural network applied on detecting malicious URLs. [V Internete] 1 Ijulja 2018 g. [Citirovano: 13 Janvarja 2020 g.] https://medium.com/@walid.daboubi/anomaly-detection-with-autoencoder-neural-network-applied-on-detecting-malicious-urls-7536abcb403f.

Hieu, Mac, Dung, Truong i all, et. Detecting Attacks on Web Applications using Autoencoder. SoICT 2018. 2018 g.

Gurina, Anastasia i Eliseev, Vladimir. Anomaly-Based Method for Detecting Multiple Classes of Network Attacks. 2019 g., Information, T. 10(3):84.

Panda Security. PowerShell – otlichnyj vektor ataki dlja bezfajlovyh ugroz. [V Internete] 28 Fevralja 2019 g. [Citirovano: 13 Janvarja 2020 g.] https://www.securitylab.ru/blog/company/PandaSecurityRus/345805.php.

SecurityLab.ru. Vladel'cy NAS QNAP pozhalovalis' na zagadochnyj vredonos, otkljuchajushhij obnovlenie antivirusov. [V Internete] 11 Fevralja 2019 g. [Citirovano: 13 Janvarja 2020 g.] https://www.securitylab.ru/news/497863.php.

Davydova, Anna. Hakery nachali ispol'zovat' ujazvimost' nulevogo dnja v planirovshhike zadanij Windows s pomoshh'ju vredonosnyh programm. [V Internete] 2 Oktjabrja 2018 g. [Citirovano: 13 Janvarja 2020 g.] https://codeby.net/blogs/hakery-nachali-ispolzovat-uyazvimost-nulevogo-dnya-v-planirovshhike-zadanij-windows-s-pomoshhyu-vredonosnyh-programm/.

Cios', A. I. Analiz tonal'nosti tekstov s ispol'zovaniem klassifikatorov na osnove mashinnogo obuchenija. Sankt-Peterburgskij Politehnicheskij Universitet Petra Velikogo Institut Komp'juternyh Nauk i Tehnologij. Sankt-Peterburg : b.n., 2018. str. 33-46, Dissertacija.

Nugumanova, A. B., i dr. Obogashhenie modeli Bag-of-words semanticheskimi svjazjami dlja povyshenija kachestva klassifikacii tekstov predmetnoj oblasti. 2016 g., Programmnye produkty i sistemy, T. 2(114).


Refbacks

  • There are currently no refbacks.


Abava  Absolutech Convergent 2020

ISSN: 2307-8162