| Title | An Online System Dependency Graph Anomaly Detection based on Extended Weisfeiler-Lehman Kernel |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Ben, Yongming, Han, Yanni, Cai, Ning, An, Wei, Xu, Zhen |
| Conference Name | MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM) |
| Date Published | nov |
| Keywords | anomaly detection, Clustering algorithms, clustering analysis, compositionality, Cyber Dependencies, dependency graph, embedding and clustering of heterogeneous graphs, extended Weisfeiler-Lehman kernel, Forensics, graph similarity, graph theory, human factors, Intrusion detection, Kernel, locality-sensitive hashing, Metrics, modern operating systems, multiprogramming, multitasking systems, online system dependency graph anomaly detection, pattern clustering, pubcrawl, Resiliency, Scalability, security of data, simHash, Standards, streamspot, System dependency graph, Task Analysis, Weisfeiler-Lehman graph kernel |
| Abstract | Modern operating systems are typical multitasking systems: Running multiple tasks at the same time. Therefore, a large number of system calls belonging to different processes are invoked at the same time. By associating these invocations, one can construct the system dependency graph. In rapidly evolving system dependency graphs, how to quickly find outliers is an urgent issue for intrusion detection. Clustering analysis based on graph similarity will help solve this problem. In this paper, an extended Weisfeiler-Lehman(WL) kernel is proposed. Firstly, an embedded vector with indefinite dimensions is constructed based on the original dependency graph. Then, the vector is compressed with Simhash to generate a fingerprint. Finally, anomaly detection based on clustering is carried out according to these fingerprints. Our scheme can achieve prominent detection with high efficiency. For validation, we choose StreamSpot, a relevant prior work, to act as benchmark, and use the same data set as it to carry out evaluations. Experiments show that our scheme can achieve the highest detection precision of 98% while maintaining a perfect recall performance. Moreover, both quantitative and visual comparisons demonstrate the outperforming clustering effect of our scheme than StreamSpot. |
| DOI | 10.1109/MILCOM47813.2019.9020815 |
| Citation Key | ben_online_2019 |
An Online System Dependency Graph Anomaly Detection based on Extended Weisfeiler-Lehman Kernel