Integrating system calls and position-specific scoring for enhanced anomaly detection in Internet of Things environments

Abstract

Identifying attacks on Internet of Things (IoT) systems through anomaly detection is an effective approach and remains a crucial area of research. The core method involves collecting system-related data during normal operation to establish a baseline of typical behavior and then continuously monitoring for deviations from this baseline. Using system call sequences for anomaly detection is a well-established and important field. System call sequences effectively capture the behavior of a target system at a low level, allowing identification of any changes in this behavior; however, these approaches face several challenges, including high false-positive rates, the need for segmentation of long sequences, and the difficulty of detecting anomalies when the system call data comes from multiple processes. This work presents a novel anomaly-detection approach that uses a position-specific scoring mechanism to analyze the content and structural properties of system call sequences. The proposed approach addresses key challenges in this field, including fixed-length segmentation of system call sequences, predetermined anomaly-detection thresholds, the detection of anomalies in both single and multiple processes, and high false-positive rates. We extensively evaluated the proposed approach using system-call-specific public datasets (ADFA-LD and UNM) of a diverse nature. The performance of the proposed content-based, structure-based, and combined content- and structure-based anomaly-detection methods was evaluated using ten-fold cross-validation. The proposed anomaly-detection approach achieves an impressive detection rate of 1.0, along with exceptionally low false-positive rates of 0.001 and 0.017 when evaluated on the UNM and ADFA-LD datasets, respectively.