A modified process anomaly detection using Boolean function

Author

Kun Mao ; Xuehui Du ; Yi Sun

Author_Institution

Henan Province Inf. Security Key Lab., Zhengzhou Inf. Sci. & Technol. Inst., Zhengzhou, China

fYear

2012

fDate

9-11 Nov. 2012

Firstpage

836

Lastpage

840

Abstract

This paper proposes a process anomaly detection method using Boolean function to discover whether a running process is compromised. This method combines the results of multiple detectors to avoid the single detector´s limitation of inadequate training and therefore poor generalization performance. It aims at higher true positive rate and lower false positive rate in the detection. Traditional hidden Markov model is used and improved to describe the process, so that we can tell what normality is and what anomaly is. A simplified Boolean function is utilized to improve the efficiency. Two algorithms are proposed to evaluate and improve the detector´s performance. And it turns out to be satisfying with high true positive rate and low false positive rate in the simulation.

Keywords

Boolean functions; data mining; hidden Markov models; security of data; detector performance; hidden Markov model; lower false positive rate; modified process anomaly detection; multiple detectors; poor generalization performance; running process; simplified Boolean function; single detector limitation; true positive rate; Boolean fuction; Hidden Markov Model; ROC; anomaly detection; process behavior evaluation;

fLanguage

English

Publisher

ieee

Conference_Titel

Communication Technology (ICCT), 2012 IEEE 14th International Conference on

Conference_Location

Chengdu

Print_ISBN

978-1-4673-2100-6

Type

conf

DOI

10.1109/ICCT.2012.6511320

Filename

6511320