short-paper

Model-based Cluster Analysis for Identifying Suspicious Activity Sequences in Software

Authors:

Thomas J. Glazier,

Javier Cámara,

Bradley Schmerl,

Jürgen PfefferAuthors Info & Claims

IWSPA '17: Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics

Pages 17 - 22

https://doi.org/10.1145/3041008.3041014

Published: 24 March 2017 Publication History

Abstract

Large software systems have to contend with a significant number of users who interact with different components of the system in various ways. The sequences of components that are used as part of an interaction define sets of behaviors that users have with the system. These can be large in number. Among these users, it is possible that there are some who exhibit anomalous behaviors -- for example, they may have found back doors into the system and are doing something malicious. These anomalous behaviors can be hard to distinguish from normal behavior because of the number of interactions a system may have, or because traces may deviate only slightly from normal behavior. In this paper we describe a model-based approach to cluster sequences of user behaviors within a system and to find suspicious, or anomalous, sequences. We exploit the underlying software architecture of a system to define these sequences. We further show that our approach is better at detecting suspicious activities than other approaches, specifically those that use unigrams and bigrams for anomaly detection. We show this on a simulation of a large scale system based on Amazon Web application style architecture.

References

[1]

Akoglu, L., Chandy, R., and Faloutsos, C. Opinion fraud detection in online and by network effects. ICWSM (2013).

[2]

Akoglu, L., McGlohon, M., and Faloutsos, C. Oddball: Spotting anomalies in weighted graphs. In PAKDD (2010), pp. 410--421.

Digital Library

[3]

Beutel, A., et al. Copycatch: stopping group attacks by spotting lockstep behavior in social networks. In WWW (2013).

Digital Library

[4]

Cadez, I., Heckerman, D., Meek, C., Smyth, P., and White, S. Visualization of navigation patterns on a web site using model-based clustering. In KDD (2000).

Digital Library

[5]

Casanova, P., Garlan, D., Schmerl, B., and Abreu, R. Diagnosing architectural run-time failures. In Proceedings of the 8th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (2013).

Digital Library

[6]

Casanova, P., Schmerl, B., Garlan, D., and Abreu, R. Architecture-based run-time fault diagnosis. In Proceedings of the 5th European Conference on Software Architecture (2011).

Digital Library

[7]

Chan, P. K., and Mahoney, M. V. Modeling multiple time series for anomaly detection. In ICDM (2005).

Digital Library

[8]

Cheng, H., Tan, P., Potter, C., and Klooster, S. Detection and characterization of anomalies in multivariate time series. In SDM (2009), pp. 413--423.

[9]

Cummings, A., Lewellen, T., McIntire, D., Moore, A., and Trzeciak, R. Insider threat study:illicit cyber activity involving fraud in the US financial services sector. Special Report, CERT, Software Engineering Institute (2012).

[10]

Ferraz Costa, A., et al. Rsc: Mining and modeling temporal activity in social media. In KDD (2015).

Digital Library

[11]

Forrest, S., W. C., and Pearlmutter, B. Detecting intrusions using system calls: Alternate data models. In Proceedings of the 1999 IEEE ISRP (1999).

[12]

Fu, Y., Sandhu, K., and Shih, M.-Y. Clustering of web users based on access patterns. Web Usage Analysis and User Profiling (2000), 21--38.

[13]

Garlan, D., Monroe, R. T., and Wile, D. Acme: Architectural description of component-based systems. In Foundations of Component-Based Systems, G. T. Leavens and M. Sitaraman, Eds. Cambridge University Press, 2000, pp. 47--68.

Digital Library

[14]

Gunneman, S., Gunneman, N., and Faloutsos, C. Detecting anomalies in dynamic rating data: A robust probabilistic model for rating evolution. In KDD (2014).

Digital Library

[15]

Hooi, B., Shah, N., Beutel, A., Günnemann, S., Akoglu, L., Kumar, M., Makhija, D., and Faloutsos, C. BIRDNEST: bayesian inference for ratings-fraud detection. In SDM (2016).

[16]

Hooi, B., Song, H. A., Beutel, A., Shah, N., Shin, K., and Faloutsos, C. Fraudar: Bounding graph fraud in the face of camouflage. In KDD (2016).

Digital Library

[17]

Jackson, D. Software Abstractions: Logic, Language, and Analysis. The MIT Press, 2006.

Digital Library

[18]

Jiang, M., et al. Inferring strange behavior from connectivity pattern in social networks. In PAKDD (2014).

[19]

Keeney, M., Capelli, D., Kowalski, E., Moore, A., Shimeall, T., and Rogers, S. Insider threat study: Computer sabotage in critical infrastructure sectors. In CERT Program and Software Engineering Institute (2005).

[20]

Kowalski, E., Cappelli, D., and Moore, A. Insider threat study: Illicit cyber activity in the government sector. Software Engineering Institute (2008).

[21]

Kowalski, E., Cappelli, D., and Moore, A. Insider threat study: Illicit cyber activity in the information technology and telecommunications sector. Software Engineering Institute (2008).

[22]

Lee, J. Y., Kang, U., Koutra, D., and Faloutsos, C. Fast anomaly detection despite the duplicates. In WWW Companion (2013).

Digital Library

[23]

Li, X., and Han, J. Mining approximate top-k subspace anomalies in multi-dimensional time-series data. In VLDB (2007), pp. 447--458.

Digital Library

[24]

Pandit, S., et al. Netprobe: a fast and scalable system for fraud detection in online auction networks. In WWW (2007).

Digital Library

[25]

Prakash, B., et al. Eigenspokes: Surprising patterns and community structure in large graphs. PAKDD (2010).

Digital Library

[26]

Ramaswamy, S., Rastogi, R., and Shim, K. Efficient algorithms for mining outliers from large data sets. SIGMOD 29 (2000), 427--438.

Digital Library

[27]

Schwartz, G. E. Estimating the dimnesson of a model. Annals of Statistics 6 (1978), 461--464.

[28]

Shah, N., Beutel, A., Gallagher, B., and Faloutsos, C. Spotting suspicious link behavior with fbox: An adversarial perspective. In ICDM (2014).

Digital Library

[29]

Shah, N., Beutel, A., Hooi, B., Akoglu, L., Gunnemann, S., Makhija, D., Kumar, M., and Faloutsos, C. Edgecentric: Anomaly detection in edge-attributed networks. arXiv preprint arXiv:1510.05544 (2015).

[30]

Shaw, M., and Garlan, D. Software Architecture: Perspectives on an Emerging Discipline. Prentice Hall, 1996.

Digital Library

[31]

Teng, H., C. K., and Lu, S. Adaptive real-time anomaly detection using inductively generated sequential patterns. In Proceedings of IEEE Computer Society Symposium on Research in Security and Privacy (1990).

[32]

Vahdatpour, A., and Sarrafzadeh, M. Unsupervised discovery of abnormal activity occurences in multi-dimensional time series with applications in wearable systems. In SDM (2010), pp. 641--625.

[33]

Xie, S., Wang, G., Lin, S., and Yu, P. Review spam detection via temporal pattern discovery. In KDD (2012), pp. 823--831.

Digital Library

[34]

Ye, J., and Akoglu, L. Discovering opinion spammer groups by network footprints. In COSN (2015).

Digital Library

Cited By

Nguyen MBouaziz AValdes VRosa Cavalli AMallouli WMontes De Oca E(2023)A deep learning anomaly detection framework with explainability and robustnessProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605052(1-7)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3605052
Kalinichenko VAtashian GAbgaryan DWijaya N(2021)Fraud Detection in Online Market ResearchIntelligent Systems and Applications10.1007/978-3-030-82196-8_33(450-459)Online publication date: 3-Aug-2021
https://doi.org/10.1007/978-3-030-82196-8_33
Shafee A(2020)Botnets and their detection techniques2020 International Symposium on Networks, Computers and Communications (ISNCC)10.1109/ISNCC49221.2020.9297307(1-6)Online publication date: 20-Oct-2020
https://doi.org/10.1109/ISNCC49221.2020.9297307
Show More Cited By

Index Terms

Model-based Cluster Analysis for Identifying Suspicious Activity Sequences in Software

Recommendations

Anomaly intrusion detection based on dynamic cluster updating
PAKDD'07: Proceedings of the 11th Pacific-Asia conference on Advances in knowledge discovery and data mining

For the effective detection of various intrusion methods into a computer, most of previous studies have been focused on the development of misuse-based intrusion detection methods. Recently, the works related to anomaly-based intrusion detection have ...
Detecting contextual anomalies of crowd motion in surveillance video
ICIP'09: Proceedings of the 16th IEEE international conference on Image processing

Many works have been proposed on detecting individual anomalies in crowd scenes, i.e., human behaviors anomalous with respect to the rest of the behaviors. In this paper, we introduce a new concept of contextual anomaly into the field of crowd analysis, ...
Refereed papers: An anomaly intrusion detection method by clustering normal user behavior

For detecting an intrusion based on the anomaly of a user's activities, previous works are concentrated on statistical techniques or frequent episode mining in order to analyze an audit data set. However, since they mainly analyze the average behavior ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IWSPA '17: Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics

March 2017

88 pages

ISBN:9781450349093

DOI:10.1145/3041008

General Chair:
Rakesh Verma
University of Houston
,
Program Chairs:
Bhavani Thuraisingham
University of Texas -- Dallas
,
Rakesh Verma
University of Houston

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 March 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

NSA

Conference

CODASPY '17

Sponsor:

SIGSAC

CODASPY '17: Seventh ACM Conference on Data and Application Security and Privacy

March 24, 2017

Arizona, Scottsdale, USA

Acceptance Rates

IWSPA '17 Paper Acceptance Rate 4 of 14 submissions, 29%;

Overall Acceptance Rate 18 of 58 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
125
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nguyen MBouaziz AValdes VRosa Cavalli AMallouli WMontes De Oca E(2023)A deep learning anomaly detection framework with explainability and robustnessProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605052(1-7)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3605052
Kalinichenko VAtashian GAbgaryan DWijaya N(2021)Fraud Detection in Online Market ResearchIntelligent Systems and Applications10.1007/978-3-030-82196-8_33(450-459)Online publication date: 3-Aug-2021
https://doi.org/10.1007/978-3-030-82196-8_33
Shafee A(2020)Botnets and their detection techniques2020 International Symposium on Networks, Computers and Communications (ISNCC)10.1109/ISNCC49221.2020.9297307(1-6)Online publication date: 20-Oct-2020
https://doi.org/10.1109/ISNCC49221.2020.9297307
Kadala Manikoth SDi Troia FStamp M(2018)Masquerade Detection on Mobile DevicesGuide to Vulnerability Analysis for Computer Networks and Systems10.1007/978-3-319-92624-7_13(301-315)Online publication date: 5-Sep-2018
https://doi.org/10.1007/978-3-319-92624-7_13

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents