CRSS publication: P-Gaussian: Provenance-Based Gaussian Distribution for Detecting Intrusion Behavior Variants Using High Efficient and Real Time Memory Databases

P-Gaussian: Provenance-Based Gaussian Distribution for Detecting Intrusion Behavior Variants Using High Efficient and Real Time Memory Databases

Appeared in IEEE transactions on dependable and secure computing .

Abstract

It is increasingly important and a big challenge to detect intrusion behavior variants in today’s world. Previous host-based
intrusion detection methods typically explore the sequence of system calls or Unix shell commands to detect the intrusion behavior.
This paper abstracts the detection of intrusion behavior variants as the comparison between different sequences when the sequence
order or length transforms. To overcome the impact of sequence transformation on the detection accuracy, we propose P-Gaussian, a
provenance-based Gaussian distribution detection scheme which comprises two key design features: (1) it utilizes provenance to
describe and identify intrusion behavior variants, and eliminates the impact of sequence order transformation on the detection
accuracy. (2) it adopts Gaussian distribution principle to accurately compute the similarity between intrusion behavior and its variant,
and eliminates the impact of intrusion behavior sequence length increase on the detection accuracy. To improve the detection
performance, P-Gaussian employs a Redis memory database with multiple Redis instances and multiple threads to enable the
parallelism of provenance processing in multi-core environments. It also classifies hot and cold provenance to provide high-efficient
long-term forensic analysis. Experimental results on widely-used real world applications demonstrate the performance and efficiency of
our system.

Publication date:
December 2019

Authors:
Yulai Xie
Yafeng Wu
Dan Feng
Darrell D. E. Long

Projects:

Bibtex entry

@article{xie-tdsc19,
  author       = {Yulai Xie and Yafeng Wu and Dan Feng and Darrell D. E. Long},
  title        = {P-Gaussian: Provenance-Based Gaussian Distribution for Detecting Intrusion Behavior Variants Using High Efficient and Real Time Memory Databases},
  journal      = {IEEE transactions on dependable and secure computing},
  volume       = {},
  month        = dec,
  year         = {2019},
}

Last modified 15 Jul 2020