Visualizing Syscalls using Self-organizing Maps for System Intrusion Detection

Max Landauer, Florian Skopik, Markus Wurzenberger, Wolfgang Hotwagner, Andreas Rauber

2020

Abstract

Monitoring syscall logs provides a detailed view on almost all processes running on a system. Existing approaches therefore analyze sequences of executed syscall types for system behavior modeling and anomaly detection in cyber security. However, failures and attacks that do not manifest themselves as type sequences violations remain undetected. In this paper we therefore propose to incorporate syscall parameter values with the objective of enriching analysis and detection with execution context information. Our approach thereby first selects and encodes syscall log parameters and then visualizes the resulting high-dimensional data using self-organizing maps to enable complex analysis. We thereby display syscall occurrence frequencies and transitions of consecutively executed syscalls. We employ a sliding window approach to detect changes of the system behavior as anomalies in the SOM mappings. In addition, we use SOMs to cluster aggregated syscall data for classification of normal and anomalous system behavior states. Finally, we validate our approach on a real syscall data set collected from an Apache web server. Our experiments show that all injected attacks are represented as changes in the SOMs, thus enabling visual or semi-automatic anomaly detection.

Download


Paper Citation


in Harvard Style

Landauer M., Skopik F., Wurzenberger M., Hotwagner W. and Rauber A. (2020). Visualizing Syscalls using Self-organizing Maps for System Intrusion Detection. In Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-399-5, pages 349-360. DOI: 10.5220/0008918703490360


in Bibtex Style

@conference{icissp20,
author={Max Landauer and Florian Skopik and Markus Wurzenberger and Wolfgang Hotwagner and Andreas Rauber},
title={Visualizing Syscalls using Self-organizing Maps for System Intrusion Detection},
booktitle={Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2020},
pages={349-360},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0008918703490360},
isbn={978-989-758-399-5},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Visualizing Syscalls using Self-organizing Maps for System Intrusion Detection
SN - 978-989-758-399-5
AU - Landauer M.
AU - Skopik F.
AU - Wurzenberger M.
AU - Hotwagner W.
AU - Rauber A.
PY - 2020
SP - 349
EP - 360
DO - 10.5220/0008918703490360