| Title | RNN-VED for Reducing False Positive Alerts in Host-based Anomaly Detection Systems |
| Publication Type | Conference Paper |
| Year of Publication | 2020 |
| Authors | Bouzar-Benlabiod, L., Rubin, S. H., Belaidi, K., Haddar, N. E. |
| Conference Name | 2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI) |
| Date Published | aug |
| Keywords | ADFA-LD dataset, ADFALD., anomaly detection, anomaly prediction, Classification algorithms, compositionality, data structures, Decoding, false positive alerts, Hidden Markov models, HIDS, host-based anomaly detection systems, host-based intrusion detection systems, Information Reuse and Security, learning (artificial intelligence), model input-data representation, natural language processing, normal behavior learning, one-class classification, pubcrawl, recurrent neural nets, Recurrent neural networks, Resiliency, RNN-VED, security of data, Semantics, sequence to sequence, system-call traces, variational encoder-decoder architecture |
| Abstract | Host-based Intrusion Detection Systems HIDS are often based on anomaly detection. Several studies deal with anomaly detection by analyzing the system-call traces and get good detection rates but also a high rate off alse positives. In this paper, we propose a new anomaly detection approach applied on the system-call traces. The normal behavior learning is done using a Sequence to sequence model based on a Variational Encoder-Decoder (VED) architecture that integrates Recurrent Neural Networks (RNN) cells. We exploit the semantics behind the invoking order of system-calls that are then seen as sentences. A preprocessing phase is added to structure and optimize the model input-data representation. After the learning step, a one-class classification is run to categorize the sequences as normal or abnormal. The architecture may be used for predicting abnormal behaviors. The tests are achieved on the ADFA-LD dataset. |
| DOI | 10.1109/IRI49571.2020.00011 |
| Citation Key | bouzar-benlabiod_rnn-ved_2020 |
RNN-VED for Reducing False Positive Alerts in Host-based Anomaly Detection Systems