Jan. 29, 2015: Invited Speaker Seminar: Anamoly Detection Using System Call Traces

Dr. Babak Khosravifar
ECOLE DE TECHNOLOGIE SUPERIEURE

Thursday, January 29 at 4:00 p.m.
Room EV003.309

Abstract

Run-time detection of system anomalies is a difficult task. The challenge is to design an accurate and scalable model of the normal behavior of the system that can later be used as a baseline to detect deviations from normality. Existing approaches rely on modeling system call sequences using various statistical and sequential machine-learning techniques. Although these techniques have shown to be useful, they tend to produce high false positive rate. The application of standard machine learning techniques to modeling system call traces requires a mapping into fixed-size numeric feature vectors. The term vector is a commonly used mapping to transform a trace of system calls into a feature vector of binary flags which is typically weighted by the term frequency or by the term frequency–inverse document frequency. However, the term vector representation ignores an important characteristic, the temporal order of system calls within a trace. In this research, we present an efficient approach for designing feature vectors that combine the frequency based information with the temporal information extracted from system call traces, to further reduce the false alarms produced by anomaly detection systems based on standard machine learning approaches. The approach is based on segmenting the system call traces into multiple n-grams and mapping them to a fixed-size sparse feature vector, which could be then used to train any traditional machine learning classifier. In our experiments, we applied the proposed anomaly detection model to a large benchmark datasets obtained from the University of New Mexico and from University of South Wales. The results show that variable n-grams up to 6 outperform term vector models that are weighted by term frequency or term frequency–inverse document frequency by maintaining high attack detection rate while producing low false positives.

Biography

Babak Khosravifar, PhD, is a post-doctoral fellow at École de technologie supérieure (ETS) focusing on anomaly detection for mobile devices. He was also Research Associate at Concordia University on the same project and postdoctoral fellow on Metacognition and Advanced Learning Technologies at McGill University. He received his Ph.D. (2012) in Computer Engineering from Concordia University. His Ph.D. thesis was about Trust and Reputation in Multi-Agent Systems. His research interests are Multi-Agent Systems, Machine Learning, Game Theory, Markov Decision Process, and Intelligent System Design. He is interested in designing intelligent systems that host rational agents capable of learning and estimating best outcomes. In his recent works, he proposed an online clustering for detecting anomalous activities in mobile devices. He is now working on dynamic decision-making protocol for refining anomaly detection systems.