Process monitoring on sequences of system call count vectors

Michael Dymshits; Benjamin Myara; David Tolpin

doi:10.1109/CCST.2017.8167792

Process monitoring on sequences of system call count vectors

Michael Dymshits, Benjamin Myara, David Tolpin

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

9 Scopus citations

Abstract

We introduce a methodology for efficient monitoring of processes running on hosts in a corporate network. The methodology is based on collecting streams of system calls produced by all or selected processes on the hosts, and sending them over the network to a monitoring server, where machine learning algorithms are used to identify changes in process behavior due to malicious activity, hardware failures, or software errors. The methodology uses a sequence of system call count vectors as the data format which can handle large and varying volumes of data. Unlike previous approaches, the methodology introduced in this paper is suitable for distributed collection and processing of data in large corporate networks. We evaluate the methodology both in a laboratory setting on a real-life setup and provide statistics characterizing performance and accuracy of the methodology.

Original language	English
Title of host publication	Proceedings - 2017 International Carnahan Conference on Security Technology, ICCST 2017
Editors	Javier Ortega-Garcia, Aythami Morales, Julian Fierrez, Ruben Vera-Rodriguez, Riccardo Lazzeretti
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1-5
Number of pages	5
ISBN (Electronic)	9781538615850
DOIs	https://doi.org/10.1109/CCST.2017.8167792
State	Published - 5 Dec 2017
Externally published	Yes
Event	2017 International Carnahan Conference on Security Technology, ICCST 2017 - Madrid, Spain Duration: 23 Oct 2017 → 26 Oct 2017

Publication series

Name	Proceedings - International Carnahan Conference on Security Technology
Volume	2017-October
ISSN (Print)	1071-6572

Conference

Conference	2017 International Carnahan Conference on Security Technology, ICCST 2017
Country/Territory	Spain
City	Madrid
Period	23/10/17 → 26/10/17

Keywords

LSTM
anomaly detection
malware
process monitoring
system calls

Access to Document

10.1109/CCST.2017.8167792

Cite this

Dymshits, M., Myara, B., & Tolpin, D. (2017). Process monitoring on sequences of system call count vectors. In J. Ortega-Garcia, A. Morales, J. Fierrez, R. Vera-Rodriguez, & R. Lazzeretti (Eds.), Proceedings - 2017 International Carnahan Conference on Security Technology, ICCST 2017 (pp. 1-5). (Proceedings - International Carnahan Conference on Security Technology; Vol. 2017-October). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CCST.2017.8167792

Dymshits, Michael ; Myara, Benjamin ; Tolpin, David. / Process monitoring on sequences of system call count vectors. Proceedings - 2017 International Carnahan Conference on Security Technology, ICCST 2017. editor / Javier Ortega-Garcia ; Aythami Morales ; Julian Fierrez ; Ruben Vera-Rodriguez ; Riccardo Lazzeretti. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 1-5 (Proceedings - International Carnahan Conference on Security Technology).

@inproceedings{19e3fb393be84ee89cd7f0131defa9b0,

title = "Process monitoring on sequences of system call count vectors",

abstract = "We introduce a methodology for efficient monitoring of processes running on hosts in a corporate network. The methodology is based on collecting streams of system calls produced by all or selected processes on the hosts, and sending them over the network to a monitoring server, where machine learning algorithms are used to identify changes in process behavior due to malicious activity, hardware failures, or software errors. The methodology uses a sequence of system call count vectors as the data format which can handle large and varying volumes of data. Unlike previous approaches, the methodology introduced in this paper is suitable for distributed collection and processing of data in large corporate networks. We evaluate the methodology both in a laboratory setting on a real-life setup and provide statistics characterizing performance and accuracy of the methodology.",

keywords = "LSTM, anomaly detection, malware, process monitoring, system calls",

author = "Michael Dymshits and Benjamin Myara and David Tolpin",

note = "Publisher Copyright: {\textcopyright} 2017 IEEE.; 2017 International Carnahan Conference on Security Technology, ICCST 2017 ; Conference date: 23-10-2017 Through 26-10-2017",

year = "2017",

month = dec,

day = "5",

doi = "10.1109/CCST.2017.8167792",

language = "English",

series = "Proceedings - International Carnahan Conference on Security Technology",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1--5",

editor = "Javier Ortega-Garcia and Aythami Morales and Julian Fierrez and Ruben Vera-Rodriguez and Riccardo Lazzeretti",

booktitle = "Proceedings - 2017 International Carnahan Conference on Security Technology, ICCST 2017",

address = "United States",

}

Dymshits, M, Myara, B & Tolpin, D 2017, Process monitoring on sequences of system call count vectors. in J Ortega-Garcia, A Morales, J Fierrez, R Vera-Rodriguez & R Lazzeretti (eds), Proceedings - 2017 International Carnahan Conference on Security Technology, ICCST 2017. Proceedings - International Carnahan Conference on Security Technology, vol. 2017-October, Institute of Electrical and Electronics Engineers Inc., pp. 1-5, 2017 International Carnahan Conference on Security Technology, ICCST 2017, Madrid, Spain, 23/10/17. https://doi.org/10.1109/CCST.2017.8167792

Process monitoring on sequences of system call count vectors. / Dymshits, Michael; Myara, Benjamin; Tolpin, David.

Proceedings - 2017 International Carnahan Conference on Security Technology, ICCST 2017. ed. / Javier Ortega-Garcia; Aythami Morales; Julian Fierrez; Ruben Vera-Rodriguez; Riccardo Lazzeretti. Institute of Electrical and Electronics Engineers Inc., 2017. p. 1-5 (Proceedings - International Carnahan Conference on Security Technology; Vol. 2017-October).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Process monitoring on sequences of system call count vectors

AU - Dymshits, Michael

AU - Myara, Benjamin

AU - Tolpin, David

PY - 2017/12/5

Y1 - 2017/12/5

N2 - We introduce a methodology for efficient monitoring of processes running on hosts in a corporate network. The methodology is based on collecting streams of system calls produced by all or selected processes on the hosts, and sending them over the network to a monitoring server, where machine learning algorithms are used to identify changes in process behavior due to malicious activity, hardware failures, or software errors. The methodology uses a sequence of system call count vectors as the data format which can handle large and varying volumes of data. Unlike previous approaches, the methodology introduced in this paper is suitable for distributed collection and processing of data in large corporate networks. We evaluate the methodology both in a laboratory setting on a real-life setup and provide statistics characterizing performance and accuracy of the methodology.

AB - We introduce a methodology for efficient monitoring of processes running on hosts in a corporate network. The methodology is based on collecting streams of system calls produced by all or selected processes on the hosts, and sending them over the network to a monitoring server, where machine learning algorithms are used to identify changes in process behavior due to malicious activity, hardware failures, or software errors. The methodology uses a sequence of system call count vectors as the data format which can handle large and varying volumes of data. Unlike previous approaches, the methodology introduced in this paper is suitable for distributed collection and processing of data in large corporate networks. We evaluate the methodology both in a laboratory setting on a real-life setup and provide statistics characterizing performance and accuracy of the methodology.

KW - LSTM

KW - anomaly detection

KW - malware

KW - process monitoring

KW - system calls

UR - http://www.scopus.com/inward/record.url?scp=85042334866&partnerID=8YFLogxK

U2 - 10.1109/CCST.2017.8167792

DO - 10.1109/CCST.2017.8167792

M3 - Conference contribution

AN - SCOPUS:85042334866

T3 - Proceedings - International Carnahan Conference on Security Technology

SP - 1

EP - 5

BT - Proceedings - 2017 International Carnahan Conference on Security Technology, ICCST 2017

A2 - Ortega-Garcia, Javier

A2 - Morales, Aythami

A2 - Fierrez, Julian

A2 - Vera-Rodriguez, Ruben

A2 - Lazzeretti, Riccardo

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2017 International Carnahan Conference on Security Technology, ICCST 2017

Y2 - 23 October 2017 through 26 October 2017

ER -

Dymshits M, Myara B, Tolpin D. Process monitoring on sequences of system call count vectors. In Ortega-Garcia J, Morales A, Fierrez J, Vera-Rodriguez R, Lazzeretti R, editors, Proceedings - 2017 International Carnahan Conference on Security Technology, ICCST 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 1-5. (Proceedings - International Carnahan Conference on Security Technology). https://doi.org/10.1109/CCST.2017.8167792

Process monitoring on sequences of system call count vectors

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this