TotalADS – Automated Software Anomaly Detection System

PDF

Authors
  1. Murtaza, S.S.
  2. Hmou-Lhadj, A.
  3. Khreich, W.
  4. Couture, M.
Corporate Authors
Defence Research and Development Canada, Valcartier Research Centre, Quebec QC (CAN);Concordia Univ, Montreal QUE (CAN) Dept of Electrical and Computer Engineering
Abstract
When a software system starts behaving abnormally during normal operations, system administrators resort to the use of logs, execution traces, and system scanners (e.g., anti-malwares, intrusion detectors, etc.) to diagnose the cause of the anomaly. However, the unpredictable context in which the system runs and daily emergence of new software threats makes it extremely challenging to diagnose anomalies using current tools. Host-based anomaly detection techniques can facilitate the diagnosis of unknown anomalies but there is no common platform with the implementation of such techniques. In this paper, we propose an automated anomaly detection framework (TotalADS) that automatically trains different anomaly detection techniques on a normal trace stream from a software system, raise anomalous alarms on suspicious behaviour in streams of trace data, and uses visualization to facilitate the analysis of the cause of the anomalies. TotalADS is an extensible Eclipse-based open source framework that employs a common trace format to use different types of traces, a common interface to adapt to a variety of anomaly detection techniques (e.g., HMM, sequence matching, etc.). Our case study on a modern Linux server shows that TotalADS automatically identifies contemporary attacks on the server, shows anomalous paths in system traces, and provides forensic insights.
Keywords
anomaly detection;cyber-threat
Report Number
DRDC-RDDC-2016-N023 — External Literature
Date of publication
04 Oct 2016
Number of Pages
6
DSTKIM No
CA043189
CANDIS No
804484
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: