a deep learning based anomaly detection approach for … · 2018. 3. 23. · instruction sequences...
TRANSCRIPT
![Page 1: A Deep Learning Based Anomaly Detection Approach for … · 2018. 3. 23. · instruction sequences on victim systems without injecting external code. q This research proposes a new](https://reader035.vdocuments.mx/reader035/viewer/2022071118/6012c70d4f343e23c97c0a25/html5/thumbnails/1.jpg)
q Advancedmodernexploitscharacterizebytheirsophisticationinstealthyattacks.
q Code-reuse attacks such as return-oriented programming andmemory disclosure attacks allow attackers executing maliciousinstruction sequences on victim systems without injectingexternalcode.
q This research proposes a new Deep Learning based anomalydetection technique that probabilistically models programcontrolflowsforbehavioralreasoningandlivemonitoring.
q Weaimtoanswerthebinaryclassificationproblemofgivenasequence of events e1e2e3…ek whether or not the sequenceshouldoccur?
q Aneventeiinthesequenceisafunctioncallinaagiventrace.
MOTIVATION
MiguelVillarreal-VasquezandBharatBhargavaDepartmentofComputerScience,PurdueUniversity,WestLafayette,IN,USA
ADeepLearningBasedAnomalyDetectionApproachforIntelligentAutonomousSystems
Acknowledgement:This research is supported by NGC Research Consortium. We collaborated with Paul Conoval, Donald Steiner and Jason Kobes.
ANOMALYDETECTIONALGORITHM
THREATMODEL
REFERENCE
q Wedefinedaneventasafunctioncall.Eachpossiblefunctioncallmustbeidentifiedastheywillformthevocabularyofevents.
q Thedynamiccodebehaviorscanbelearnedbytrainingthemodelwithnon-maliciousprogramtraces.
q Atanytimeteachpossibleevent(systemcallorlibrarycall)inthesystem is assigned a probability estimated with respect to thesequenceofeventsobserveduntiltimet-1.
q Atclassification,thedecisionismadewithrespecttoapre-definedthresholdoftheK-topmostprobablysequences.
IMPLEMENTATION
Giventhissequence
Shouldthissequenceoccur?
LegendEach color bar representsone of the all possibleevents (system calls) in thesystem.
Attack• CodeInjection(e.g.,BufferOverflow)
Defense• W⨁X(e.g.,WindowsDEP)
Attack• CodeReuse(e.g.,ROP)
Defense• ASLRandvariants
Attack• MemoryDisclosure(JIT-ROP):EnablesCodeReuse
Defense• CodeRe-Randomization/DeepLearningbasedAnomalyDetection
TheEternalWar q Invalidandabnormalcontrolflowofaprogram:
ü CodeInjectionü CodeReuseü MemoryDisclosure
q Canbecausedby:ü Humanerror(e.g.,
unauthorizeduseoroperationoftheprogram
ü Softwareflaws(e.g.,bufferoverflowvulnerabilities)
ü Attacksbyremoteattackers
ü Maliciousinsiders(e.g.,throughdrive-bydownloads)
CONTRIBUTIONSq Systems can be trained with data of benign flows only in
isolation(thedataisfullavailable.)q Flowsensitiveanomalydetection.GiventheexecutionpathsP1,
P2andP3ourtechniquecapturestheiroccurrenceprobabilities,vitalforhigh-precisionanomalydetection.
CUDA
GPU
MODEL q Modelü BasedonRecurrentNeuralNetworks(RNN):
Long-ShortTermMemory(LSTM)andGatedRecurrentUnit(GRU)
q ProgrammingLanguage:Pythonü Compatiblewithseveralnumericalcomputing
librariessuitablefortheuseofGPUsü Someexamples:Pytorch,TensorFlowand
Theano
q ComputingLibrary:PyTorchü Scientificcomputingpackageü ReplacementofNumpytotakeadvantageof
thepowerofGPUsü Python-friendlyplatformforneuralnetworks
(DeepLearning)q ParallelComputingPlatform:CUDAü ProgrammingmodeltouseGPUsforgeneral
purposecomputing
• D. Ulybyshev, M. Villarreal-Vasquez, B. Bhargava, G. Mani, S. Seaberg, P. Conoval, D. Steiner, J. Kobes"Blockhub: Blockchain-based Software Development System for Untrusted Environments", Submitted toIEEECLOUD2018.
• M.Villarreal-Vasquez,B.Bhargava,P.Angin,N.Ahmed,D.Goodwin,K.BrinandJ.Kobes.AnMTD-basedSelf-AdaptiveResilienceApproachforCloudSystems.InIEEECLOUD2017.
• N. Ahmed and B. Bhargava. “Mayflies: A moving target defense framework for distributed systems,” inProceedingsofthe2016ACMWorkshoponMovingTargetDefense2016.