基于vmm的异常检测系统静态探头仪表数据序列分析

2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud) Pub Date : 2016-06-25 DOI:10.1109/CSCloud.2016.51

A. W. Paundu, T. Okuda, Y. Kadobayashi, S. Yamaguchi

{"title":"基于vmm的异常检测系统静态探头仪表数据序列分析","authors":"A. W. Paundu, T. Okuda, Y. Kadobayashi, S. Yamaguchi","doi":"10.1109/CSCloud.2016.51","DOIUrl":null,"url":null,"abstract":"In this work, we propose a framework for a Virtual Machine Monitor (VMM)-based Anomaly Detection System (ADS). This framework uses a sequence-based analysis Hidden Markov Model (HMM) on static probe instrumentation data collected within the VMM. Long observations are split into multiple, uniformed-length, small sequences. The list of likelihood score of sequences in the new observation is compared to a reference list of likelihood scores created from a normal scenario dataset. Statistical distance values from both lists are used to predict the new observation anomaly status. We evaluated the effectiveness of the approach over multiple statistical distance measures and multiple sequence lengths. We also compared our sequence-based analysis results with a frequency-based analysis results that used the One-Class Support Vector Machine (OC-SVM). The results show that the HMM sequence-based analysis can distinguish normal datasets from anomalous datasets better than the OC-SVM frequency-based analysis.","PeriodicalId":410477,"journal":{"name":"2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)","volume":"54 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Sequence-Based Analysis of Static Probe Instrumentation Data for a VMM-Based Anomaly Detection System\",\"authors\":\"A. W. Paundu, T. Okuda, Y. Kadobayashi, S. Yamaguchi\",\"doi\":\"10.1109/CSCloud.2016.51\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this work, we propose a framework for a Virtual Machine Monitor (VMM)-based Anomaly Detection System (ADS). This framework uses a sequence-based analysis Hidden Markov Model (HMM) on static probe instrumentation data collected within the VMM. Long observations are split into multiple, uniformed-length, small sequences. The list of likelihood score of sequences in the new observation is compared to a reference list of likelihood scores created from a normal scenario dataset. Statistical distance values from both lists are used to predict the new observation anomaly status. We evaluated the effectiveness of the approach over multiple statistical distance measures and multiple sequence lengths. We also compared our sequence-based analysis results with a frequency-based analysis results that used the One-Class Support Vector Machine (OC-SVM). The results show that the HMM sequence-based analysis can distinguish normal datasets from anomalous datasets better than the OC-SVM frequency-based analysis.\",\"PeriodicalId\":410477,\"journal\":{\"name\":\"2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)\",\"volume\":\"54 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-06-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CSCloud.2016.51\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSCloud.2016.51","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

在这项工作中，我们提出了一个基于虚拟机监控(VMM)的异常检测系统(ADS)的框架。该框架使用基于序列的隐马尔可夫模型(HMM)分析VMM内收集的静态探针仪器数据。长观测被分割成多个均匀长度的小序列。将新观测序列的似然评分列表与从正常场景数据集创建的似然评分参考列表进行比较。利用这两个表的统计距离值来预测新的观测异常状态。我们在多个统计距离度量和多个序列长度上评估了该方法的有效性。我们还将基于序列的分析结果与使用一类支持向量机(OC-SVM)的基于频率的分析结果进行了比较。结果表明，基于HMM序列的分析比基于OC-SVM频率的分析能更好地区分正常数据集和异常数据集。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Sequence-Based Analysis of Static Probe Instrumentation Data for a VMM-Based Anomaly Detection System

In this work, we propose a framework for a Virtual Machine Monitor (VMM)-based Anomaly Detection System (ADS). This framework uses a sequence-based analysis Hidden Markov Model (HMM) on static probe instrumentation data collected within the VMM. Long observations are split into multiple, uniformed-length, small sequences. The list of likelihood score of sequences in the new observation is compared to a reference list of likelihood scores created from a normal scenario dataset. Statistical distance values from both lists are used to predict the new observation anomaly status. We evaluated the effectiveness of the approach over multiple statistical distance measures and multiple sequence lengths. We also compared our sequence-based analysis results with a frequency-based analysis results that used the One-Class Support Vector Machine (OC-SVM). The results show that the HMM sequence-based analysis can distinguish normal datasets from anomalous datasets better than the OC-SVM frequency-based analysis.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)

自引率

0.00%

发文量