SON KULLANICILAR İÇİN ANOMALİ SALDIRI TESPİT SİSTEMLERİ

Yıl 2019, Cilt: 27 Sayı: 3, 199 - 212, 15.12.2019

Kerim Can Kalıpcıoğlu Cengiz Toğay Esra Nergis Yolaçan

https://doi.org/10.31796/ogummf.560747

Cited By: 3

Öz

Günümüzde
yaygın bir şekilde kullanılmakta olan imza tabanlı yaklaşımlar, özellikle sıfır
gün saldırıları gibi henüz tespit edilmemiş saldırı vektörlerine karşı
başarısız olmaktadırlar. Bu tip saldırılar genellikle en az bir sisteme zarar
verdikten sonra tespit edilmektedir. Saldırıya ilişkin imza yapılan analizin
ardından son kullanıcıların erişimine sunulur. Dolayısı ile bu süre zarfında
kullanıcılar bu tip saldırılara karşı savunmasız kalırlar. Kritik noktalardaki
bilgisayar sistemlerinin gerek güncelleme ve gerekse yeni uygulamaların
kurulmasının ardından sıfır gün saldırıları ile karşılaşma riski bulunmaktadır.
Bilindiği üzere, uygulamalar işletim sistemiyle sistem çağrı arayüzü üzerinden
etkileşim kurarlar. Dolayısı ile uygulamalardan ya da sistemin tümünden
toplanan sistem çağrı verisinde öğrenme sonrasında belirlenen anormal
davranışlar bir saldırının varlığını işaret ediyor olabilir. Bu çalışmada, anomali
tespit sistemleri için literatür taraması, kullanılabilecek veri kümeleri ve bunların
karşılaştırmalı analizleri sunulmuştur.

Anahtar Kelimeler

Saldırı tespit sistemleri, Anomali tanıma, Makine öğrenmesi, Sistem çağrıları, Host-tabanlı

Kaynakça

• Ali, M. Q., Khan, H., Sajjad, A., & Khayam, S. A. (2009). On achieving good operating points on an ROC plane using stochastic anomaly score prediction. 16th ACM conference on Computer and communications security, Şikago, ABD.
• Anscombe, F. J., & Guttman, I. (1960). Rejection of Outliers. Technometrics, Sayı(2), 123-147. doi: https://doi.org/10.2307/1266540
• Axelsson, S. (2000). Intrusion detection systems: A survey and taxonomy.
• Bace, R., & Mell, P. (2001). Intrusion Detection Systems Erişim adresi: https://apps.dtic.mil/dtic/tr/fulltext/u2/a393326.pdf
• Bhatkar, S., Chaturvedi, A., & Sekar, R. (2006, 21-24 May 2006). Dataflow anomaly detection. 2006 IEEE Symposium on Security and Privacy (S&P'06) Sunulmuş Bildiri.
• Borisaniya, B., & Patel, D. (2015). Evaluation of modified vector space representation using adfa-ld and adfa-wd datasets. Journal of Information Security, Sayı(3), 250. doi: https://doi.org/10.4236/jis.2015.63025
• Cabrera, J. B. D., Lewis, L., & Mehra, R. K. (2001). Detection and classification of intrusions and faults using sequences of system calls. ACM SIGMOID Record, Sayı(4), 25-34. doi: https://doi.org/10.1145/604264.604269
• Canali, D., Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., & Kirda, E. (2012). A quantitative study of accuracy in system call-based malware detection. International Symposium on Software Testing and Analysis Sunulmuş Bildiri.
• Canfora, G., Sorbo, A. D., Mercaldo, F., & Visaggio, C. A. (2015, 22-22 May 2015). Obfuscation Techniques against Signature-Based Detection: A Case Study. 2015 Mobile Systems Technologies Workshop (MST) Sunulmuş Bildiri.
• CERT-UK. Code obfuscation. Erişim adresi: https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Code-obfuscation.pdf
• Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, Sayı(3), 15.
• Chen, W.-H., Hsu, S.-H., & Shen, H.-P. (2005). Application of SVM and ANN for intrusion detection. Computers and Operations Research, Sayı(10), 2617-2634. doi: https://doi.org/10.1016/j.cor.2004.03.019
• Cohen, W. W. (1995). Fast Effective Rule Induction. A. Prieditis & S. Russell (Eds.), Machine Learning Proceedings 1995 (115-123). San Francisco (CA).
• Creech, G. (2014). Developing a high-accuracy cross platform Host-Based Intrusion Detection System capable of reliably detecting zero-day attacks. University of New South Wales, Canberra, Avustralya.
• Creech, G., & Hu, J. (2014). A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns. IEEE Transactions on Computers, Sayı(4), 807-819. doi: https://doi.org/10.1109/tc.2013.13
• DARPA Intrusion Detection Evaluation Dataset. (1998). Erişim adresi: https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-dataset
• DARPA Intrusion Detection Evaluation Dataset. (1999). Erişim adresi: https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-dataset
• Debar, H., Dacier, M., & Wespi, A. (2000). A revised taxonomy for intrusion-detection systems. Annales des télécommunications, Sayı(7-8), 361-378.
• Deshpande, P., Sharma, S., Peddoju, S., & Junaid, S. (2018). HIDS: A host based intrusion detection system for cloud computing environment. International Journal of System Assurance Engineering Management, Sayı(3), 567-576. doi: https://doi.org/10.1007/s13198-014-0277-7
• Du, M., Li, F., Zheng, G., & Srikumar, V. (2017). Deeplog: Anomaly detection and diagnosis from system logs through deep learning. 2017 ACM SIGSAC Conference on Computer and Communications Security Sunulmuş Bildiri.
• Duessel, P., Gehl, C., Flegel, U., Dietrich, S., & Meier, M. (2017). Detecting zero-day attacks using context-aware anomaly detection at the application-layer. International Journal of Information Security, Sayı(5), 475-490. doi: https://doi.org/10.1007/s10207-016-0344-y
• Eskin, E., Arnold, A., Prerau, M., Portnoy, L., & Stolfo, S. (2002). A Geometric Framework for Unsupervised Anomaly Detection. D. Barbará & S. Jajodia (Eds.), Applications of Data Mining in Computer Security (77-101). Massachusetts, ABD: Springer US. doi: https://doi.org/10.1007/978-1-4615-0953-0_4
• Eskin, E., Lee, W., & Stolfo, S. J. (2001). Modeling system calls for intrusion detection with dynamic window sizes. DARPA Information Survivability Conference and Exposition II. DISCEX'01 Sunulmuş Bildiri.
• Feng, L., Guan, X., Guo, S., Gao, Y., & Liu, P. (2004). Predicting the intrusion intentions by observing system call sequences. Computers and Security, Sayı(3), 241-252. doi: https://doi.org/10.1016/j.cose.2004.01.016
• Forrest, S., Hofmeyr, S. A., Somayaji, A., & Longstaff, T. A. (1996, 6-8 May 1996). A sense of self for Unix processes. 1996 IEEE Symposium on Security and Privacy Sunulmuş Bildiri.
• Ghosh, A. K., Schwartzbard, A., & Schatz, M. (1999). Learning Program Behavior Profiles for Intrusion Detection. Workshop on Intrusion Detection and Network Monitoring.
• Grimmer, M., Röhling, M. M., Kricke, M., Franczyk, B., & Rahm, E. (2018). Intrusion Detection on System Call Graphs. 25. DFN-Konferenz "Sicherheit in vernetzten Systemen" Sunulmuş Bildiri, Hamburg, Almanya.
• Gupta, S., & Kumar, P. (2015). An Immediate System Call Sequence Based Approach for Detecting Malicious Program Executions in Cloud Environment. Wireless Personal Communications, Sayı(1), 405-425. doi: https://doi.org/10.1007/s11277-014-2136-x
• Haider, W., Creech, G., Xie, Y., & Hu, J. (2016). Windows based data sets for evaluation of robustness of host based intrusion detection systems (IDS) to zero-day and stealth attacks. Future Internet, Sayı(3), 29. doi: https://doi.org/10.3390/fi8030029
• Han, S.-J., & Cho, S.-B. (2005). Evolutionary neural networks for anomaly detection based on the behavior of a program. IEEE Transactions on Systems, Man, and Cybernetics, Part B, Sayı(3), 559-570. doi: https://doi.org/10.1109/tsmcb.2005.860136
• Hawkins, D. M. (1980). Identification of outliers (Vol. 11): Springer.
• Hindy, H., Brosset, D., Bayne, E., Seeam, A., Tachtatzis, C., Atkinson, R. C., & Bellekens, X. J. A. (2018). A Taxonomy and Survey of Intrusion Detection System Design Techniques, Network Threats and Datasets. CoRR, Sayı.
• Hoang, X. A., & Hu, J. (2004, 19-19 Nov. 2004). An efficient hidden Markov model training scheme for anomaly intrusion detection of server applications based on system calls. 2004 12th IEEE International Conference on Networks (ICON 2004) (IEEE Cat. No.04EX955) Sunulmuş Bildiri.
• Hoang, X. A., Hu, J., & Bertok, P. (2003). A multi-layer model for anomaly intrusion detection using program sequences of system calls. 11th IEEE International Conference on Networks, 2003. ICON2003. Sunulmuş Bildiri.
• Hofmeyr, S. A., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of Computer Security, Sayı(3), 151-180. doi: https://doi.org/10.3233/jcs-980109
• Hou, S., Saas, A., Chen, L., & Ye, Y. (2016, 13-16 Oct. 2016). Deep4MalDroid: A Deep Learning Framework for Android Malware Detection Based on Linux Kernel System Call Graphs. 2016 IEEE/WIC/ACM International Conference on Web Intelligence Workshops (WIW) Sunulmuş Bildiri.
• Hu, J., Yu, X., Qiu, D., & Chen, H. (2009). A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection. IEEE Network, Sayı(1), 42-47. doi: https://doi.org/10.1109/mnet.2009.4804323
• Hu, W., Liao, Y., & Vemuri, V. R. (2003). Robust Support Vector Machines for Anomaly Detection in Computer Security. International Conference on Machine Learning and Applications (ICMLA’03) Sunulmuş Bildiri, ABD.
• Kang, D.-K., Fuller, D., & Honavar, V. (2005). Learning classifiers for misuse and anomaly detection using a bag of system calls representation. Sixth Annual IEEE SMC Information Assurance Workshop Sunulmuş Bildiri.
• Kayacık, H. G. (2009). Can the Best Defense be a Good Offense?: Evolving (mimicry) Attacks for Detector Vulnerability Testing Under a 'black-box' Assumption. Dalhousie University.
• Kayacık, H. G., Zincir-Heywood, A. N., & Heywood, M. I. (2007). Automatically evading IDS using GP authored attacks. IEEE Symposium on Computational Intelligence in Security and Defense Applications Sunulmuş Bildiri.
• Kayacık, H. G., Zincir-Heywood, A. N., Heywood, M. I., & Burschka, S. (2009). Generating mimicry attacks using genetic programming: a benchmarking study. IEEE Symposium on Computational Intelligence in Cyber Security Sunulmuş Bildiri.
• Kim, G., Yi, H., Lee, J., Paek, Y., & Yoon, S. (2016). LSTM-Based System-Call Language Modeling and Robust Ensemble Method for Designing Host-Based Intrusion Detection Systems. arXiv e-prints.
• Kosoresow, A. P., & Hofmeyer, S. A. (1997). Intrusion detection via system call traces. IEEE Software, Sayı(5), 35-42. doi: https://doi.org/10.1109/52.605929
• Kriegel, H.-P., Kröger, P., & Zimek, A. (2010). Title. [PowerPoint sunumu] Erişim adresi: https://archive.siam.org/meetings/sdm10/tutorial3.pdf
• Kruegel, C., Mutz, D., Valeur, F., & Vigna, G. (2003). On the Detection of Anomalous System Call Arguments. Computer Security – ESORICS 2003 Sunulmuş Bildiri, Berlin, Heidelberg.
• Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., & Kirda, E. (2010). Accessminer: using system-centric models for malware protection. 17th ACM conference on Computer and communications security Sunulmuş Bildiri.
• Lee, W., Stolfo, S., & Chan, P. (1997). Learning Patterns from Unix Process Execution Traces for Intrusion Detection. AAAI Workshop on AI Approaches to Fraud Detection and Risk Management.
• Lee, W., & Xiang, D. (2001). Information-theoretic measures for anomaly detection. IEEE Symposium on Security and Privacy (S&P 2001) Sunulmuş Bildiri, ABD.
• Leslie, C., Eskin, E., & Noble, W. S. (2001). The spectrum kernel: A string kernel for SVM protein classification. Pacific Symposium on Biocomputing.
• Liao, Y., & Vemuri, V. R. (2002). Use of k-nearest neighbor classifier for intrusion detection. Computers & Security, Sayı(5), 439-448. doi: https://doi.org/10.1016/s0167-4048(02)00514-x
• Linux Programmer's Manual. (2017a). Linux man-pages project. Erişim adresi: http://man7.org/linux/man-pages/man2/fork.2.html
• Linux Programmer's Manual. (2017b). Linux man-pages project. Erişim adresi: http://man7.org/linux/man-pages/man1/strace.1.html
• Lippmann, R., Haines, J. W., Fried, D. J., Korba, J., & Das, K. (2000). Analysis and results of the 1999 DARPA off-line intrusion detection evaluation. International Workshop on Recent Advances in Intrusion Detection Sunulmuş Bildiri.
• Lippmann, R. P., Fried, D. J., Graf, I., Haines, J. W., Kendall, K. R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R. K., Zissman, M.A. (2000). Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. DARPA Information Survivability Conference and Exposition (DISCEX'00) Sunulmuş Bildiri.
• Liţă, C. V., Cosovan, D., & Gavriluţ, D. (2018). Anti-emulation trends in modern packers: a survey on the evolution of anti-emulation techniques in UPA packers. Journal of Computer Virology Hacking Techniques, Sayı(2), 107-126. doi: https://doi.org/10.1007/s11416-017-0291-9
• Liu, A., Jiang, X., Jin, J., Mao, F., & Chen, J. (2011). Enhancing System-Called-Based Intrusion Detection with Protocol Context. IARIA SECURWARE Sunulmuş Bildiri, Fransa.Maggi, F., Matteucci, M., & Zanero, S. (2010). Detecting Intrusions through System Call Sequence and Argument Analysis. IEEE Transactions on Dependable and Secure Computing, Sayı(4), 381-395. doi: https://doi.org/10.1109/tdsc.2008.69
• Marceau, C. (2000). Characterizing the behavior of a program using multiple-length N-grams. 2000 Workshop on New security paradigms, Ballycotton, County Cork, Ireland.
• Mouttaqi, T., Rachidi, T., & Assem, N. (2017). Re-evaluation of combined Markov-Bayes models for host intrusion detection on the ADFA dataset. 2017 Intelligent Systems Conference (IntelliSys) Sunulmuş Bildiri.
• Murtaza, S. S., Khreich, W., Hamou-Lhadj, A., & Couture, M. (2013). A host-based anomaly detection approach by representing system calls as states of kernel modules. 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE) Sunulmuş Bildiri.
• Mutz, D., Valeur, F., Vigna, G., Kruegel. (2006). Anomalous system call detection. ACM Transactions on Information and System Security (TISSEC), Sayı(1), 61-93. doi: https://doi.org/10.1145/1127345.1127348
• Nauman, M., Azam, N., & Yao, J. (2016). A three-way decision making approach to malware analysis using probabilistic rough sets. Information Sciences, Sayı, 193-209. doi: https://doi.org/10.1016/j.ins.2016.09.037
• P. Farwell, J., & Rohozinski, R. (2011). Stuxnet and the Future of Cyber War. Survival (Sayı 53, 23-40). doi: https://doi.org/10.1080/00396338.2011.555586
• Patcha, A., & Park, J.-M. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer networks, Sayı(12), 3448-3470. doi: https://doi.org/10.1016/j.comnet.2007.02.001
• Pendleton, M. (2017). syscall-dataset-generator: GitHub. Erişim adresi: https://github.com/marcusp46/syscall-dataset-generator
• Pendleton, M., & Xu, S. A dataset generator for next generation system call host intrusion detection systems. MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM) Sunulmuş Bildiri.
• Quinlan, J. R. (1993). C4.5: programs for machine learning: Morgan Kaufmann Publishers Inc.
• Roberts, S. W. (2000). Control Chart Tests Based on Geometric Moving Averages. Technometrics, Sayı(1), 97-101. doi: https://doi.org/10.2307/1271439
• Sabahi, F., & Movaghar, A. (2008). Intrusion detection: A survey. 2008 Third International Conference on Systems and Networks Communications Sunulmuş Bildiri.
• Sarmah, A. (2001). Intrusion Detection Systems: Definition, Need and Challenges. SANS Institute Reading Room erişim adresi: https://www.sans.org/reading-room/whitepapers/detection/intrusion-detection-systems-definition-challenges-343
• Scarfone, K., & Mell, P. (2012). Guide to intrusion detection and prevention systems (idps).
• Sekar, R., Bendre, M., Dhurjati, D., & Bollineni, P. (2001). A fast automaton-based method for detecting anomalous program behaviors. IEEE Symposium on Security and Privacy (S&P 2001) Sunulmuş Bildiri.
• Severi, G., Leek, T., & Dolan-Gavitt, B. (2018). Malrec: Compact Full-Trace Malware Recording for Retrospective Deep Analysis. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment Sunulmuş Bildiri.
• Song, Q., Hu, W., & Xie, W. (2002). Robust support vector machine with bullet hole image classification. IEEE transactions on systems, man, and Cybernetics, Part C, Sayı(4), 440-448. doi: https://doi.org/10.1109/tsmcc.2002.807277
• Stavroulakis, P., & Stamp, M. (2010). Handbook of Information and Communication Security: Springer Publishing Company, Incorporated.
• Tan, K. M. C., Killourhy, K. S., & Maxion, R. A. (2002). Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits, Berlin, Heidelberg.
• Tan, K. M. C., & Maxion, R. A. (2002). "Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector. 2002 IEEE Symposium on Security and Privacy.
• Tandon, G., & Chan, P. K. (2003). Learning rules from system call arguments and sequences for anomaly detection.
• Tong, F., & Yan, Z. (2017). A hybrid approach of mobile malware detection in Android. Journal of Parallel and Distributed Computing, Sayı, 22-31. doi: https://doi.org/10.1016/j.jpdc.2016.10.012
• Uma, M., & Ganapathi, P. (2013). A survey on various cyber attacks and their classification.
• Vokorokos, L., & Baláž, A. (2010, 5-7 May 2010). Host-based intrusion detection system. 2010 IEEE 14th International Conference on Intelligent Engineering Systems Sunulmuş Bildiri.
• Wagner, D., & Dean, R. (2001). Intrusion detection via static analysis. Proceedings 2001 IEEE Symposium on Security and Privacy (S&P 2001) Sunulmuş Bildiri.
• Wagner, D., & Soto, P. (2002). Mimicry attacks on host-based intrusion detection systems. 9th ACM Conference on Computer and Communications Security Sunulmuş Bildiri.
• Warrender, C., Forrest, S., & Pearlmutter, B. (1999, 14-14 May 1999). Detecting intrusions using system calls: alternative data models. 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344) Sunulmuş Bildiri.
• White, S. R., Swimmer, M., Pring, E., Arnold, W. C., Chess, D. M., & Morar, J. (1999). Anatomy of a Commercial-Grade Immune System.
• Xie, M., & Hu, J. (2013). Evaluating host-based anomaly detection systems: A preliminary analysis of adfa-ld. 6th International Congress on Image and Signal Processing (CISP) Sunulmuş Bildiri.
• Xie, M., Hu, J., & Slay, J. (2014). Evaluating host-based anomaly detection systems: Application of the one-class SVM algorithm to ADFA-LD. 11th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD) Sunulmuş Bildiri.
• Xie, M., Hu, J., Yu, X., & Chang, E. (2015). Evaluating host-based anomaly detection systems: Application of the frequency-based algorithms to adfa-ld. International Conference on Network and System Security Sunulmuş Bildiri.
• Yao, J., Zhao, S., & Fan, L. (2006). An Enhanced Support Vector Machine Model for Intrusion Detection. International Conference on Rough Sets and Knowledge Technology Sunulmuş Bildiri, Berlin, Almanya.
• Ye, N., Li, X., Chen, Q., Emran, S. M., & Xu, M. (2001). Probabilistic techniques for intrusion detection based on computer audit data. IEEE Transactions on Systems, Man, Cybernetics-Part A: Systems Humans, Sayı(4), 266-274. doi: https://doi.org/10.1109/3468.935043
• Yolaçan, E. N., Dy, J. G., & Kaeli, D. R. (2014). System Call Anomaly Detection Using Multi-HMMs. 2014 IEEE Eighth International Conference on Software Security and Reliability-Companion Sunulmuş Bildiri.
• Ypma, A., & Duin, R. P. (1998). Support objects for domain approximation. International Conference on Artificial Neural Networks Sunulmuş Bildiri.