Home   Research Publications Members Related Software
IndexBrowse   BibliographiesMy selection
 Search: in   (word length ≥ 3)
Publication no #503   Download bibtex file Type :   Html | Bib | Both
Add to my selection
Model-based cluster analysis for identifying suspicious activity sequences in software

Hemank Lamba, Thomas J. Glazier, Javier Cámara, Bradley Schmerl, David Garlan and Jürgen Pfeffer.

In Proceedings of the 3rd International Workshop on Security and Privacy Analytics (IWSPA 2017), Scottsdale, AZ, 24 March 2017.

Online links: PDF   Bibtex entry   Plain Text

Large software systems have to contend with a significant number of users who interact with different components of the system in various ways. The sequences of components that are used as part of an interaction define sets of behaviors that users have with the system. These can be large in number. Among these users, it is possible that there are some who exhibit anomalous behaviors – for example, they may have found back doors into the system and are doing something malicious. These anomalous behaviors can be hard to distinguish from normal behavior because of the number of interactions a system may have, or because traces may deviate only slightly from normal behavior. In this paper we describe a model-based approach to cluster sequences of user behaviors within a system and to find suspicious, or anomalous, sequences. We exploit the underlying software architecture of a system to define these sequences. We further show that our approach is better at detecting suspicious activities than other approaches, specifically those that use unigrams and bigrams for anomaly detection. We show this on a simulation of a large scale system based on Amazon Web application style architecture.

Keywords: Science of Security.  
    Created: 2016-12-20 09:11:05     Modified: 2017-01-13 15:24:28
Feedback: ABLE Webmaster
Last modified: Fri July 25 2014 13:46:14