Visible to the public Model-based Cluster Analysis for Identifying Suspicious Activity Sequences in SoftwareConflict Detection Enabled

TitleModel-based Cluster Analysis for Identifying Suspicious Activity Sequences in Software
Publication TypeConference Paper
Year of Publication2017
AuthorsHemank Lamba, Thomas J. Glazier, Javier Camara, Bradley Schmerl, David Garlan, Jurgen Pfeffer
Conference NameIWSPA '17 Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics
Date Published03/2017
PublisherACM New York, NY, USA ©2017
Conference LocationScottsdale, AZ
ISBN Number978-1-4503-4909-3
KeywordsApr'17, CMU

Large software systems have to contend with a significant number of users who interact with different components of the system in various ways. The sequences of components that are used as part of an interaction define sets of behaviors that users have with the system. These can be large in number. Among these users, it is possible that there are some who exhibit anomalous behaviors -- for example, they may have found back doors into the system and are doing something malicious. These anomalous behaviors can be hard to distinguish from normal behavior because of the number of interactions a system may have, or because traces may deviate only slightly from normal behavior. In this paper we describe a model-based approach to cluster sequences of user behaviors within a system and to find suspicious, or anomalous, sequences. We exploit the underlying software architecture of a system to define these sequences. We further show that our approach is better at detecting suspicious activities than other approaches, specifically those that use unigrams and bigrams for anomaly detection. We show this on a simulation of a large scale system based on Amazon Web application style architecture.

Citation Keynode-34450

Other available formats:

Lamba_Model_Based_Cluster_DG.pdfPDF document460.15 KBDownloadPreview