Title :
A modified process anomaly detection using Boolean function
Author :
Kun Mao ; Xuehui Du ; Yi Sun
Author_Institution :
Henan Province Inf. Security Key Lab., Zhengzhou Inf. Sci. & Technol. Inst., Zhengzhou, China
Abstract :
This paper proposes a process anomaly detection method using Boolean function to discover whether a running process is compromised. This method combines the results of multiple detectors to avoid the single detector´s limitation of inadequate training and therefore poor generalization performance. It aims at higher true positive rate and lower false positive rate in the detection. Traditional hidden Markov model is used and improved to describe the process, so that we can tell what normality is and what anomaly is. A simplified Boolean function is utilized to improve the efficiency. Two algorithms are proposed to evaluate and improve the detector´s performance. And it turns out to be satisfying with high true positive rate and low false positive rate in the simulation.
Keywords :
Boolean functions; data mining; hidden Markov models; security of data; detector performance; hidden Markov model; lower false positive rate; modified process anomaly detection; multiple detectors; poor generalization performance; running process; simplified Boolean function; single detector limitation; true positive rate; Boolean fuction; Hidden Markov Model; ROC; anomaly detection; process behavior evaluation;
Conference_Titel :
Communication Technology (ICCT), 2012 IEEE 14th International Conference on
Conference_Location :
Chengdu
Print_ISBN :
978-1-4673-2100-6
DOI :
10.1109/ICCT.2012.6511320
