@InProceedings{2017/Lamba/Cluster,
AUTHOR = {Lamba, Hemank and Glazier, Thomas J. and C\'{a}mara, Javier and Schmerl, Bradley and Garlan, David and Pfeffer, J\"{u}rgen},
TITLE = {Model-based cluster analysis for identifying suspicious activity sequences in software},
YEAR = {2017},
MONTH = {24 March},
BOOKTITLE = {Proceedings of the 3rd International Workshop on Security and Privacy Analytics (IWSPA 2017)},
ADDRESS = {Scottsdale, AZ},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/model-based-cluster-submitted.pdf},
ABSTRACT = {Large software systems have to contend with a significant number of
users who interact with different components of the system in various
ways. The sequences of components that are used as part of an interaction
define sets of behaviors that users have with the system. These
can be large in number. Among these users, it is possible that there are
some who exhibit anomalous behaviors – for example, they may have
found back doors into the system and are doing something malicious.
These anomalous behaviors can be hard to distinguish from normal
behavior because of the number of interactions a system may have,
or because traces may deviate only slightly from normal behavior. In
this paper we describe a model-based approach to cluster sequences of
user behaviors within a system and to find suspicious, or anomalous,
sequences. We exploit the underlying software architecture of a system
to define these sequences. We further show that our approach is better at
detecting suspicious activities than other approaches, specifically those
that use unigrams and bigrams for anomaly detection. We show this on
a simulation of a large scale system based on Amazon Web application
style architecture.},
KEYWORDS = {Science of Security}
}
|
|
