[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.3837/tiis.2015.02.010

An Anomalous Behavior Detection Method Using System Call Sequences for Distributed Applications

Ma, Chuan (School of Information Science and Engineering, Yanshan University)
Shen, Limin (School of Information Science and Engineering, Yanshan University)
Wang, Tao (School of Information Science and Engineering, Yanshan University)

Publication Information

KSII Transactions on Internet and Information Systems (TIIS) / v.9, no.2, 2015 , pp. 659-679 More about this Journal

Abstract

Distributed applications are composed of multiple nodes, which exchange information with individual nodes through message passing. Compared with traditional applications, distributed applications have more complex behavior patterns because a large number of interactions and concurrent behaviors exist among their distributed nodes. Thus, it is difficult to detect anomalous behaviors and determine the location and scope of abnormal nodes, and some attacks and misuse cannot be detected. To address this problem, we introduce a method for detecting anomalous behaviors based on process algebra. We specify the architecture of the behavior detection model and the detection algorithm. The anomalous behavior detection and analysis demonstrate that our method is a good discriminator between normal and anomalous behavior characteristics of distributed applications. Performance evaluation shows that the proposed method enhances efficiency without security degradation.

Keywords

Behavior detection; distributed applications; anomalous behavior; process algebra; system call;

Citations & Related Records

Times Cited By KSCI : 1 (Citation Analysis)

Reference
Cited By KSCI

1	D. Caromel and L.A. Henrio, "Theory of Distributed Objects," Berlin:Springer-Verlag, 2005.
2	Leslie Lamport, "Time, clocks, and the ordering of events in a distributed system," Communications of the ACM, vol. 21, no.7, pp. 558-565, July, 1978. DOI
3	I Gul and M. Hussain, "Distributed cloud intrusion detection model," International Journal of Advanced, vol. 34, pp. 71-82, September, 2011.
4	C. Collberg, S. Martin, J. Myers and J. Nagra, "Distributed application tamper detection via continuous software updates," in Proc. of the 28th Annual Computer Security Applications Conference. ACM, pp. 319-328, December, 2012.
5	F. Idrees, M. Rajarajan and A. Y. Memon, "Framework for distributed and self-healing hybrid intrusion detection and prevention system," in Proc. of ICT Convergence (ICTC), International Conference on. IEEE, pp. 277-282, October, 2013.
6	J. Meseguer and P. C. Olveczky, "Formalization and correctness of the PALS architectural pattern for distributed real-time systems," Formal Methods and Software Engineering. Springer Berlin Heidelberg, vol. 6447, pp. 303-320, 2010.
7	W. Tao, S. Liming and M. Chuan, "A Process Algebra-Based Detection Model for Multithreaded Programs in Communication System," KSII Transactions on Internet and Information Systems, vol. 8, no. 3, pp. 965-983, March, 2014. DOI
8	J.Chu, "The Triple Pot and techniques in distributed system call intrusion detection," University of Illinois at Urbana-Champaign, 2014.
9	S. Forrest, S.A. Hofmeyr, A. Somayaji and T.A. Longstaff, "A sense of self for UNIX processes," in Proc. of the IEEE Symp. on Security and Privacy. Oakland: IEEE Press, pp. 120-128, May 6-8, 1996.
10	S.A. Hofmeyr, S. Forrest and A. Somayaji. "Intrusion detection using sequences of system calls," Journal of Computer Security, vol. 6, no. 3, pp. 151-180, January, 1998. DOI
11	P. Helman and J.Bhangoo, "A statistically based system for prioritizing information exploration under uncertainty," IEEE Trans.on Systems,Man and Cybernetics, Part A:Systems and Humans, vol. 27, no. 4, pp. 449-466, July, 1997. DOI
12	W. Lee and S.J. Stolfo, "Data mining approaches for intrusion detection," in Proc. of the 7th USENIX Security Symp. San Antonio, pp. 26-29, January, 1998.
13	D. Wagner and D. Dean, "Intrusion detection via static analysis," in Proc. of the IEEE Symp.on Security and Privacy.Oakland:IEEE Press, pp. 156-168, May 14-16, 2001.
14	J. Giffin, S. Jha and B. Miller, "Efficient context- sensitive intrusion detection," in Proc. of the 11th Network and Distributed System Security Symp. San Diego, 2004.
15	R. Gopalakrishna, E.H. Spafford and J. Vitek, "Efficient intrusion detection using automaton Inlining," In Proc. of the IEEE Symp.on Security and Privacy. Oakland, CA, IEEE Press, pp. 18-31, May 8-11, 2005.
16	F. Jianming, T. Fen, and W. Dan, "Software behavior model based on system objects," Journal of Software, vol. 22, no. 11, pp. 2716-2728, November, 2011. DOI
17	M. Moshirpour, A. Mousavi and B. H. Far, "Detecting emergent behavior in distributed systems using scenario-based specifications," International Journal of Software Engineering and Knowledge Engineering, vol. 22, no. 06, pp. 729-746, September, 2012. DOI
18	F. Yang, T. Aotain, H. Masuhare, et al., "Combining static analysis and runtime checking in security aspects for distributed tuple spaces," Coordination Models and Languages. Springer Berlin Heidelberg, vol. 6721, pp. 202-218, June 6-9, 2011.
19	D. Gupta, K. V. Vishwanath, M. McNett, et al., "DieCast: Testing distributed systems with an accurate scale model," ACM Transactions on Computer Systems (TOCS) , vol. 29, no. 2, Article No.4 , May, 2011.
20	J. Tan, S. Kavulya, R. Gandhi, et al., "Light-weight black-box failure detection for distributed systems," in Proc. of the 2012 workshop on Management of big data systems. ACM, pp.13-18, 2012.
21	M. Rohr, A. van Hoorn, W. Hasselbring, et al., "Workload-intensity-sensitive timing behavior analysis for distributed multi-user software systems," Proceedings of the first joint WOSP/SIPEW international conference on Performance engineering. ACM, pp. 87-92, 2010.
22	M. Moshirpour, R. Alhajj, M. Moussavi, and B. H. Far, "Detecting emergent behavior in distributed systems using an ontology based methodology," In Systems, Man, and Cybernetics (SMC), IEEE International Conference on. IEEE, pp. 2407-2412, October, 2011.
23	J.H. Morris, "Lambda-calculus Models of Programming Languages," MIT, Cambridge, MAC, USA, 1968.
24	G.J. Milne and R. Milner, "Concurrent processes and their syntax," Journal of the ACM, vol. 26, no. 2, pp. 302-321, April, 1979. DOI
25	J. C. M. Baeten, "A brief history of process algebra," Theoretical Computer Science, vol.335, no. 2, pp. 131-146, May, 2005. DOI
26	C. Hoare, "Communicating sequential processes," Communications of the ACM , vol. 21, no. 8, pp. 666-677, August, 1978. DOI
27	J. Hopcroft, "An nlogn algorithm for minimizing states in a finite automaton," Theory of Machines and Computations, New York: Academic Press, January, 1971.
28	C. C. Din, J. Dovland, E.B. Johnsen, and O. Olaf, "Observable behavior of distributed systems: Component reasoning for concurrent objects," The Journal of Logic and Algebraic Programming, vol. 81, no. 3, pp. 227-256, April, 2012. DOI
29	H.H. Feng, J.T. Giffin, Y. Huang and S. Jha, "Formalizing sensitivity in static analysis for intrusion detection," In Proc. of the IEEE Symp.on Security and Privacy. Oakland, CA, IEEE Press, pp. 194-208. May 9-12, 2004.
30	R. Milner, "A calculus of communicating systems," Lecture Notes in Computer Science, Springer-Verlag New York, Inc. Secaucus, NJ, USA, 1980.