Geodesic
Combining dynamic and static host intrusion detection features using variational long short-term memory recurrent autoencoder
Vestnik Sankt-Peterburgskogo universiteta. Prikladnaâ matematika, informatika, processy upravleniâ, Tome 20 (2024) no. 1, pp. 34-51 Cet article a éte moissonné depuis la source Math-Net.Ru

Voir la notice de l'article

Despite the many advantages offered by Host Intrusion Detection Systems (HIDS), they are rarely adopted in mainstream cybersecurity strategies. Unlike Network Intrusion Detection Systems, a HIDS is the last layer of defence between potential attacks and the underlying OSs. One of the main reasons behind this is its poor capabilities to adequately protect against zero-day attacks. With the rising number of zero-day exploits and related attacks, this is an increasingly imperative requirement for a modern HIDS. In this paper variational long short-term memory — recurrent autoencoder approach which improves zero-day attack detection is proposed. We have practically implemented our model using TensorFlow and evaluated its performance using benchmark ADFA-LD and UNM datasets. We have also compared the results against those from notable publications in the area.
Keywords: HIDS, anomaly detection, deep learning.
Mots-clés : variational autoencoder 
@article{VSPUI_2024_20_1_a3,
     author = {V. H. Nguyen and N. N. Tran},
     title = {Combining dynamic and static host intrusion detection features using variational long short-term memory recurrent autoencoder},
     journal = {Vestnik Sankt-Peterburgskogo universiteta. Prikladna\^a matematika, informatika, processy upravleni\^a},
     pages = {34--51},
     year = {2024},
     volume = {20},
     number = {1},
     language = {en},
     url = {http://geodesic.mathdoc.fr/item/VSPUI_2024_20_1_a3/}
}
TY  - JOUR
AU  - V. H. Nguyen
AU  - N. N. Tran
TI  - Combining dynamic and static host intrusion detection features using variational long short-term memory recurrent autoencoder
JO  - Vestnik Sankt-Peterburgskogo universiteta. Prikladnaâ matematika, informatika, processy upravleniâ
PY  - 2024
SP  - 34
EP  - 51
VL  - 20
IS  - 1
UR  - http://geodesic.mathdoc.fr/item/VSPUI_2024_20_1_a3/
LA  - en
ID  - VSPUI_2024_20_1_a3
ER  - 
%0 Journal Article
%A V. H. Nguyen
%A N. N. Tran
%T Combining dynamic and static host intrusion detection features using variational long short-term memory recurrent autoencoder
%J Vestnik Sankt-Peterburgskogo universiteta. Prikladnaâ matematika, informatika, processy upravleniâ
%D 2024
%P 34-51
%V 20
%N 1
%U http://geodesic.mathdoc.fr/item/VSPUI_2024_20_1_a3/
%G en
%F VSPUI_2024_20_1_a3
V. H. Nguyen; N. N. Tran. Combining dynamic and static host intrusion detection features using variational long short-term memory recurrent autoencoder. Vestnik Sankt-Peterburgskogo universiteta. Prikladnaâ matematika, informatika, processy upravleniâ, Tome 20 (2024) no. 1, pp. 34-51. http://geodesic.mathdoc.fr/item/VSPUI_2024_20_1_a3/

[1] The incident response analyst report, Kaspersky Publ, M., 2022, 20 pp.

[2] Hochreiter S., Schmidhuber J., “Long short-term memory”, Neural Computation, 9:8 (1997), 1735–1780 | DOI

[3] Chandra R., “Competition and collaboration in cooperative coevolution of Elman recurrent neural networks for time-series prediction”, IEEE Transactions on Neural Networks and Learning Systems, 26:12 (2015), 3123–3136 | DOI | MR

[4] Cho K., van Merrienboer B., Gulcehre C., Bougares F., Schwenk H., Bengio Y., “Learning phrase representations using RNN encoder–decoder for statistical machine translation”, Proceedings of Conference on Empirical Methods in Natural Language Processing (EMNLP), 2014, 1724–1734 | DOI

[5] Graves A., Liwicki M., Fernández S., Bertolami R., Bunke H., Schmidhuber J., “A novel connectionist system for unconstrained handwriting recognition”, IEEE Transactions on Pattern Analysis and Machine Intelligence, 31:5 (2009), 855–868 | DOI

[6] Deepika S., Erinc M., Ismini P., Johannes K., Sten H., Matthieu G., Andreas H., “Human activity recognition using recurrent neural networks”, Proceedings of International Cross-Domain Conference for Machine Learning and Knowledge Extraction (Reggio, Italy, 2017), 267–274 | MR

[7] Fabius O., van Amersfoort J. R., Variational recurrent auto-encoders, 2015, arXiv: 1412.6581

[8] Kingma D. P., Welling M., “Auto-encoding variational Bayes”, Proceedings of 2$^{nd}$ International Conference on Learning Representations (ICLR), 2014, 1–6

[9] Warrender C., Forrest S., Pearlmutter B., “Detecting intrusions using system calls: alternative data models”, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Oakland, USA, 1999), 133–145 | DOI

[10] Maggi F., Matteucci M., Zanero S., “Detecting intrusions through system call sequence and argument analysis”, IEEE Transactions on Dependable and Secure Computing, 7:4 (2010), 381–395 | DOI

[11] Xie M., Hu J., Yu X., Chang E., “Evaluating host-based anomaly detection systems: application of the frequency-based algorithms to ADFA-LD”, Proceedings of 8$^{th}$ International Conference on Network and System Security (Xian, China, 2014), 542–549 | DOI

[12] Xie M., Hu J., Slay J., “Evaluating host-based anomaly detection systems: Application of the one-class SVM algorithm to ADFA-LD”, International Conference on Fuzzy Systems and Knowledge Discovery (FSKD) (Xiamen, China, 2014), 978–982

[13] Creech G., Hu J., “A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns”, IEEE Transactions on Computers, 63:4 (2014), 807–819 | DOI | MR | Zbl

[14] Ikram Y. S., Madkour M. A. I., “Enhanced host-based intrusion detection using system call traces”, Journal of King Abdulaziz University (Computing and Information Technology Sciences), 8 (2019), 93–109 | DOI

[15] Zhang Y., Luo S., Pan L., Zhang H., “Syscall-BSEM: Behavioral semantics enhancement method of system call sequence for high accurate and robust host intrusion detection”, Future Generation Computer Systems, 125 (2021), 112–126 | DOI

[16] Osamor F., Wellman B., “Deep learning-based hybrid model for efficient anomaly detection”, International Journal of Advanced Computer Science and Applications, 13:4 (2022), 975–979 | DOI | MR

[17] Anandapriya M., Lakshmanan B., “Anomaly based host intrusion detection system using semantic based system call patterns”, IEEE 9$^{th}$ International Conference on Intelligent Systems and Control (ISCO) (Coimbatore, India, 2015), 1–4 | DOI

[18] Lu Y., Teng S., “Application of sequence embedding in host-based intrusion detection system”, IEEE 24$^{th}$ International Conference on Computer Supported Cooperative Work in Design (CSCWD) (Dalian, China, 2021), 434–439

[19] Ouarda L., Bourenane M., Bouderah B., “Towards a better similarity algorithm for host-based intrusion detection system”, Journal of Intelligent Systems, 32:1 (2023), 20220259 | DOI

[20] Le T.-T.-H., Kim J., Kim H., “An effective intrusion detection classifier using long short-term memory with gradient descent optimization”, Proceedings of the 2017 International Conference on Platform Technology and Service (PlatCon) (Busan, Korea, 2017), 1–6 | DOI

[21] Staudemeyer R. C., Omlin C. W., “Evaluating performance of long short-term memory recurrent neural networks on intrusion detection data”, Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference (SAICSIT 13), ACM, New York, 2013, 218–224 | DOI

[22] Staudemeyer R. C., “Applying long short-term memory recurrent neural networks to intrusion detection”, South African Computer Journal, 56 (2015) | DOI

[23] Bontemps L., Cao V. L., McDermott J., Le-Khac N. A., “Collective anomaly detection based on long short-term memory recurrent neural networks”, Proceedings of 3$^{rd}$ International Conference on Future Data and Security Engineering, Springer International Publishing, 2016, 141–152 | DOI

[24] Kim J., Kim J., Thu H. L. T., Kim H., “Long short term memory recurrent neural network classifier for intrusion detection”, International Conference on Platform Technology and Service (PlatCon), 2016, 1–5 | DOI

[25] Blei D. M., Kucukelbir A., McAuliffe J. D., “Variational inference: A review for statisticians”, Journal of the American Statistical Association, 112:518 (2017), 859–877 | DOI | MR

[26] Liu T. F., Ting K. M., Zhou Z.-H., “Isolation forest”, Proceedings of the 2008 Eighth IEEE International Conference on Data Mining (Pisa, Italy, 2008), 2008, 413–422 | DOI

[27] University of New Mexico (UNM) dataset for intrusion detection, (accessed: August 15, 2022) https://www.cs.unm.edu/ĩmmsec/data-sets.htm

[28] The ADFA Intrusion Detection Datasets, (accessed: September 10, 2023) https://research.unsw.edu.au/projects/adfa-ids-datasets

[29] Yeung D. Y., Ding Y., “Host-based intrusion detection using dynamic and static behavioral models”, Pattern Recognition, 36:1 (2003), 229–243 | DOI | Zbl

[30] Wang W., Guan X. H., Zhang X. L., “Modeling program behaviors by hidden Markov models for intrusion detection”, Proceedings of 2004 International Conference on Machine Learning and Cybernetics, IEEE Cat. 04EX826 (Shanghai, China, 2004), v. 5, 2004, 2830–2835 | DOI | MR

[31] Murtaza S. S., Khreich W., Hamou-Lhadj A., Gagnon S., “A trace abstraction approach for host-based anomaly detection”, IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA) (Verona, 2015), 2015, 1–8

[32] Borisaniya B., Patel D., “Evaluation of modified vector space representation using ADFA-LD and ADFA-WD datasets”, Journal of Information Security, 6:3 (2015), 250–264 | DOI