Stacking ensemble-based HIDS framework for detecting anomalous system processes in Windows based operating systems using multiple word embedding. Issue 125 (February 2023)
- Record Type:
- Journal Article
- Title:
- Stacking ensemble-based HIDS framework for detecting anomalous system processes in Windows based operating systems using multiple word embedding. Issue 125 (February 2023)
- Main Title:
- Stacking ensemble-based HIDS framework for detecting anomalous system processes in Windows based operating systems using multiple word embedding
- Authors:
- Kumar, Yogendra
Subba, Basant - Abstract:
- Abstract: Globally, more than 80% of end-user devices run on Microsoft's Windows-based operating systems. Therefore, majority of the cyber-attack payloads are crafted explicitly for exploiting various vulnerabilities that exist across different software modules of Windows-based operating systems. To address this security issue, a stacking ensemble-based HIDS framework for detecting anomalous system processes is proposed in this paper. The proposed HIDS framework analyzes the process files comprising sequence of dll instruction calls made by various application and system processes to the Windows operating system's kernel for detecting anomalous processes. The framework initially transforms the system process files comprising sequence of dll invocations into their corresponding n-gram feature vectors. It then uses two different state-of-the-art word embedding techniques namely, Word2Vec and GloVe to learn the contextual inter-dependencies between n-gram terms of the feature vectors, and generate fixed length word embedding vectors for each n-gram terms. These learned numeric word embedding vectors along with the n-gram feature vectors corresponding to the system process files are then provided as input to train an ensemble-based classifier model comprising LSTM, Bi-LSTM, GRU and Bi-GRU based base-level classifiers, and a fully connected neural network based meta-level classifier for classification of system process files as either normal or anomalous. The proposed HIDSAbstract: Globally, more than 80% of end-user devices run on Microsoft's Windows-based operating systems. Therefore, majority of the cyber-attack payloads are crafted explicitly for exploiting various vulnerabilities that exist across different software modules of Windows-based operating systems. To address this security issue, a stacking ensemble-based HIDS framework for detecting anomalous system processes is proposed in this paper. The proposed HIDS framework analyzes the process files comprising sequence of dll instruction calls made by various application and system processes to the Windows operating system's kernel for detecting anomalous processes. The framework initially transforms the system process files comprising sequence of dll invocations into their corresponding n-gram feature vectors. It then uses two different state-of-the-art word embedding techniques namely, Word2Vec and GloVe to learn the contextual inter-dependencies between n-gram terms of the feature vectors, and generate fixed length word embedding vectors for each n-gram terms. These learned numeric word embedding vectors along with the n-gram feature vectors corresponding to the system process files are then provided as input to train an ensemble-based classifier model comprising LSTM, Bi-LSTM, GRU and Bi-GRU based base-level classifiers, and a fully connected neural network based meta-level classifier for classification of system process files as either normal or anomalous. The proposed HIDS framework is capable of detecting wide range of Windows-based attacks with high accuracy and precision. Experimental results show that the proposed HIDS framework achieves high accuracy and precision of 91.00% and 93.30%, respectively on the benchmark binary class Australian Defense Force Academy Windows Dataset (ADFA-WD) dataset. It also achieves an accuracy and precision of 68.70% and 67.80%, respectively on the multi-class ADFA-WD dataset, which are significantly higher than other similar HIDS frameworks proposed in the literature. … (more)
- Is Part Of:
- Computers & security. Issue 125(2023)
- Journal:
- Computers & security
- Issue:
- Issue 125(2023)
- Issue Display:
- Volume 125, Issue 125 (2023)
- Year:
- 2023
- Volume:
- 125
- Issue:
- 125
- Issue Sort Value:
- 2023-0125-0125-0000
- Page Start:
- Page End:
- Publication Date:
- 2023-02
- Subjects:
- Host based Intrusion Detection System(HIDS) -- Ensemble-based classifier -- Word Embedding -- Word2Vec & GloVe -- ADFA-WD dataset
Computer security -- Periodicals
Electronic data processing departments -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/science/journal/01674048 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cose.2022.102961 ↗
- Languages:
- English
- ISSNs:
- 0167-4048
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.781000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 26973.xml