On Improving Deep Learning Trace Analysis with System Call Arguments

TL;DR

This paper enhances deep learning analysis of kernel traces by incorporating event arguments, improving anomaly detection and language modeling performance across multiple neural network architectures.

Contribution

It introduces a general, task-agnostic approach to embedding event names and arguments in kernel trace analysis, validated on real-world datasets.

Findings

Up to 11.3% performance improvement on language modeling tasks

Effective integration of event arguments boosts neural network accuracy

Validated on datasets from web requests and pre-production servers

Abstract

Kernel traces are sequences of low-level events comprising a name and multiple arguments, including a timestamp, a process id, and a return value, depending on the event. Their analysis helps uncover intrusions, identify bugs, and find latency causes. However, their effectiveness is hindered by omitting the event arguments. To remedy this limitation, we introduce a general approach to learning a representation of the event names along with their arguments using both embedding and encoding. The proposed method is readily applicable to most neural networks and is task-agnostic. The benefit is quantified by conducting an ablation study on three groups of arguments: call-related, process-related, and time-related. Experiments were conducted on a novel web request dataset and validated on a second dataset collected on pre-production servers by Ciena, our partnering company. By leveraging additional information, we were able to increase the performance of two widely-used neural networks, an LSTM and a Transformer, by up to 11.3% on two unsupervised language modelling tasks. Such tasks may be used to detect anomalies, pre-train neural networks to improve their performance, and extract a contextual representation of the events.