DReAM: Deep Recursive Attentive Model for Anomaly Detection in Kernel Events

System logs and traces contain information that reflects the state of the system and serves as a rich source of knowledge for system monitoring from the application to the kernel layer. Moreover, logging of traces as a tool for monitoring the operation of a cyber-physical system is recommended by most safety standard organizations. However, because the data can be overwhelmingly huge within a short space of time, the use of models that do not rely only on known signatures for online anomaly detection becomes difficult to use due to the challenge of processing such an enormous amount of data at runtime. Hence, most practitioners resort to the use of signature-based tools. In this paper, we introduce an anomaly detection model that uses intra-trace and inter-trace context vectors with long short-term memory networks to overcome the challenge of online anomaly detection in cyber-physical systems. We test the performance of the model with publicly available datasets that reflect the internal and external control flow of an embedded application and our model demonstrates both the effectiveness and robustness in detecting an anomalous sequence in a system call stream.

[1]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[2]  Feifei Li,et al.  DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning , 2017, CCS.

[3]  Sebastian Fischmeister,et al.  Dataset for Anomaly Detection Using Inter-Arrival Curves for Real-time Systems , 2016 .

[4]  Qusay H. Mahmoud,et al.  An Imputation-based Augmented Anomaly Detection from Large Traces of Operating System Events , 2017, BDCAT.

[5]  John D. Kelleher,et al.  Attentive Language Models , 2017, IJCNLP.

[6]  Lovekesh Vig,et al.  LSTM-based Encoder-Decoder for Multi-sensor Anomaly Detection , 2016, ArXiv.

[7]  Xiangyu Zhang,et al.  Comparative causality: Explaining the differences between executions , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[8]  Sebastian Fischmeister,et al.  Anomaly Detection Using Inter-Arrival Curves for Real-Time Systems , 2016, 2016 28th Euromicro Conference on Real-Time Systems (ECRTS).

[9]  Lui Sha,et al.  Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System , 2017, 2017 IEEE/ACM Second International Conference on Internet-of-Things Design and Implementation (IoTDI).

[10]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[11]  Xiaohui Yu,et al.  Continuous KNN Join Processing for Real-Time Recommendation , 2014, 2014 IEEE International Conference on Data Mining.

[12]  P J Webros BACKPROPAGATION THROUGH TIME: WHAT IT DOES AND HOW TO DO IT , 1990 .

[13]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[14]  Qiang Chen,et al.  Computer intrusion detection through EWMA for autocorrelated and uncorrelated data , 2003, IEEE Trans. Reliab..

[15]  Marcus K. Weldon,et al.  The Future X Network: A Bell Labs Perspective , 2015 .

[16]  Ling Huang,et al.  Online System Problem Detection by Mining Patterns of Console Logs , 2009, 2009 Ninth IEEE International Conference on Data Mining.

[17]  Feng Li,et al.  Locating Software Faults Based on Minimum Debugging Frontier Set , 2017, IEEE Transactions on Software Engineering.

[18]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[19]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[20]  Andy Brown,et al.  Recurrent Neural Network Attention Mechanisms for Interpretable System Log Anomaly Detection , 2018, Proceedings of the First Workshop on Machine Learning for Computing Systems.

[21]  Quoc V. Le,et al.  Sequence to Sequence Learning with Neural Networks , 2014, NIPS.

[22]  Xiao Yu,et al.  CloudSeer: Workflow Monitoring of Cloud Infrastructures via Interleaved Logs , 2016, ASPLOS.

[23]  Quoc V. Le,et al.  Listen, attend and spell: A neural network for large vocabulary conversational speech recognition , 2015, 2016 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[24]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[25]  Mellitus O. Ezeme,et al.  A Multi-domain Co-Simulator for Smart Grid: Modeling Interactions in Power, Control and Communications , 2015 .

[26]  Qusay H. Mahmoud,et al.  Hierarchical Attention-Based Anomaly Detection Model for Embedded Operating Systems , 2018, 2018 IEEE 24th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA).