TL;DR
This paper presents a scalable method for monitoring process behavior in corporate networks by analyzing sequences of system call count vectors using machine learning, enabling detection of malicious or faulty activities.
Contribution
It introduces a novel distributed approach for process monitoring using system call count vectors, suitable for large-scale corporate environments.
Findings
Effective detection of malicious activity demonstrated
Method performs well in real-life laboratory tests
Scalable data collection and processing approach
Abstract
We introduce a methodology for efficient monitoring of processes running on hosts in a corporate network. The methodology is based on collecting streams of system calls produced by all or selected processes on the hosts, and sending them over the network to a monitoring server, where machine learning algorithms are used to identify changes in process behavior due to malicious activity, hardware failures, or software errors. The methodology uses a sequence of system call count vectors as the data format which can handle large and varying volumes of data. Unlike previous approaches, the methodology introduced in this paper is suitable for distributed collection and processing of data in large corporate networks. We evaluate the methodology both in a laboratory setting on a real-life setup and provide statistics characterizing performance and accuracy of the methodology.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
