PHMM Applications Mark Stamp PHMM Applications 1 Applications
- Slides: 43
PHMM Applications Mark Stamp PHMM Applications 1
Applications q We consider 2 applications of PHMMs to problems in information security o Masquerade detection o Malware detection q Both show some strengths of PHMMs q Both are somewhat unique q PHMMs not always a first choice… PHMM Applications 2
PHMM for Masquerade Detection Lin Huang Mark Stamp PHMM Applications 3
Masquerader? q Masquerader makes unauthorized use of another user’s account o Masquerader tries to evade detection by pretending to be the other user q Can we detect masquerader? o Intrusion Detection System (IDS) q We consider special case where such an IDS is based on UNIX commands PHMM Applications 4
Schonlau Dataset q Collection of UNIX commands, 50 users o 5 k training commands per user, plus… o 10 k “attack” commands per user q Also, a key to tell which blocks are attack and which belong to same user o Nominally, 100 blocks, 100 commands each q No real session start/end info provided o This could be an issue… PHMM Applications 5
Previous Work q Lots of papers use “Schonlau dataset” q Types of methods that have been used o o o Information theoretic Text mining Hidden Markov Model Naïve Bayes Sequences and bioinformatics SVM, and Other PHMM Applications 6
Information Theoretic q Schonlau originally used compressionbased scheme o The theory is that commands by same user should compress more o By subsequent standard, poor results q Some other similar work, but… o … no strong results based on compression q Compression PHMM Applications for malware detection? 7
Text Mining q Look for repetitive sequences o Can be used to detect particular user o Almost like a signature q PCA has also been used here o Repetitive sequences, i. e. , patterns o PCA can find such structure o Training cost considered high q Other PHMM Applications ways to do “text mining”? 8
Hidden Markov Model q Need we say more? q HMM is one of the most popular detection strategies in this field o Results are good o Serves as benchmark in many (most) studies of other techniques q We implement HMM detector and compare to PHMM Applications 9
Naïve Bayes q Naïve Bayes (NB) relies on frequencies o No sequential info used o Very simple o Efficient training & scoring q Discuss naïve Bayes in later chapter q Close connection between HMM and NB o So, not too surprising that this works o But, surprising that it works so well PHMM Applications 10
Sequences and Bioinformatics q n-gram approaches very popular o Like HMM, also used as benchmark q Sequence alignment has been used o Based on Smith-Waterman algorithm o Like constructing MSA in PHMM o Closest previous work to PHMM q We’ll compare our PHMM results to both n-gram and HMM PHMM Applications 11
Support Vector Machines q Several previous studies use SVM o SVM has nice geometric interpretation o SVMs very popular in machine learning q For masquerade detection, SVM results are about same as NB q Claimed that SVM is more efficient, as compared to naïve Bayes o But, naïve Bayes is very efficient… PHMM Applications 12
Other q Frequent and/or infrequent commands o Neither seems to perform well q “Hybrid Bayes one step Markov” and “hybrid multistep Markov” o Nice names, but not so good results q “Non-negative matrix factorization” o Good results q Ensemble (combination) approaches o Seem to offer slight improvement PHMM Applications 13
Experimental Results q Again, we compare HMM and n-grams to several PHMM models o All are tested on Schonlau dataset o Then we generate a simulated dataset o All tested again on simulated data q Why simulated data? o Schonlau data has limitations wrt PHMM o This will be explained later… PHMM Applications 14
HMM & n-Gram ROC Curves q First, compare HMM and n -grams PHMM Applications 15
HMM and n-Gram AUC q For ROC curves on previous slide… PHMM Applications 16
Training PHMM q How many sequences to use? o More sequences, better for E matrix… o …but worse for gaps q Length of each sequence? o For Schonlau dataset, we have 5 k training commands per user q Where to begin/end sequences? o No good answers for Schonlau dataset PHMM Applications 17
PHMM Sequences q Note that all 5 k commands used in each case PHMM Applications 18
PHMM ROC Curves q ROC curves for each PHMM case q Any trend? PHMM Applications 19
PHMM AUC q AUC for each PHMM case o 5, 10, and 20 sequences are best cases PHMM Applications 20
HMM, n-Gram, and PHMM q Again, for Schonlau dataset q Which method is better? PHMM Applications 21
HMM vs PHMM q HMM and PHMM give similar results on Schonlau dataset q Surprising that PHMM does so well o Why? No begin/end sequence info! q What if we had “better” sequences? o PHMM could certainly do better and maybe much, much better q But how to get a better dataset? PHMM Applications 22
Simulated Dataset q Generate Markov model for each user o Based on monograph & digraph stats o Like matrices π and A of an HMM q Now we can generate sequences o Use matrix π to select initial element o Then use matrix A to generate sequence q HMM must do well on this data (why? ) q PHMM might do well… or not… PHMM Applications 23
ROC Curves Simulated Data q HMM vs PHMM q Based on 5 k training commands PHMM Applications 24
AUC for Simulated Data q Again, PHMM Applications based on 5 k training commands 25
Real World Problem q Masquerade detection in real world q At first, we have little training data o Can’t protect user until we train a model o So, we want to train as soon as possible q Minimum training data needed to obtain a useful model? q We compare HMM and PHMM with 200, 400, and 800 training commands PHMM Applications 26
Limited Training Data q Simulated data q HMM vs PHMM q Big difference when very little training data available PHMM Applications 27
Limited Training Data q PHMM most impressive with very little data (especially wrt AUC 0. 1) PHMM Applications 28
Limited Training Data q Same results as previous slide PHMM Applications 29
Optimal Masquerade Detection Strategy? q Obtain 200 commands, train PHMM q Use this PHMM model until a reliable set of 800+ commands is available q Then train HMM on 800+ commands q Use HMM from then on q Gives us a reliable model with limited data, and best model with more data PHMM Applications 30
Another PHMM Advantage? q PHMM might be better when attacker hijacks ongoing session q Masquerader mimics average behavior o This is what is modeled by HMM q Harder to mimic sequential behavior o As modeled by PHMM o Depends on position in the sequence q This should be investigated further… PHMM Applications 31
PHMM for Malware Detection Swapna Vemparala Mark Stamp PHMM Applications 32
Malware Detection q In previous work, PHMM tested for metamorphic detection o Based on extracted opcodes q Results were generally not impressive q MSA has many gaps and PHMM is weak q Code transposition causes problems o And code transposition common in malware q Opcode PHMM Applications sequence not strong wrt PHMM 33
Malware Detection 2. 0 q Here, again apply PHMM to malware q But what to use as features ? ? ? q Want feature(s) where… o Sequence/order is critical o And, difficult for malware writer to modify sequential information q What feature(s) to use? o (Static) opcodes not good in PHMM Applications 34
Software Birthmarks q Birthmark is inherent feature of code o In contrast to a watermark q We consider both static and dynamic birthmarks q Static collected without executing q Dynamic execution/emulation q Examples of each? q Advantages/disadvantages of each? PHMM Applications 35
This Research q Consider opcodes o Static feature, extracted by disassembly q Also consider API calls o Dynamic, use Buster Sandbox Analyzer q Compare HMM and PHMM for both o Then 3 cases for each malware family… o Static and dynamic HMM o Dynamic PHMM Applications 36
Data q Malware q Benign PHMM Applications data from Malicia Project set of 20 Windows applications 37
HMM & Opcode Sequences q Scatterplots and ROC curves for Security Shield PHMM Applications 38
HMM Results q Results for all families, static and dynamic birthmarks PHMM Applications 39
PHMM q Dynamic PHMM Applications birthmarks, i. e. , API calls 40
Results q Static and dynamic HMM q And dynamic PHMM Applications 41
Bottom Line q In these cases, dynamic data gives better results o API calls better than (static) opcodes q HMM does very well on API calls… q …but PHMM can do even better q Sequential info matters in API calls! q Is PHMM really worth it? PHMM Applications 42
References q Masquerade detection o L. Huang and M. Stamp, Masquerade detection using profile hidden Markov models, Computers & Security, 30(8): 732 -747, November 2011 q Malware detection o S. Vemparala, et al, Malware detection using dynamic birthmarks, 2 nd International Workshop on Security & Privacy Analytics (IWSPA 2016), co-located with ACM CODASPY 2016, March 9 -11, 2016 PHMM Applications 43
- Markov
- App.avantassessment.com/tech-check
- Lingual split technique diagram
- Nanny shine has got
- Stamp duty(amendment) proclamation no. 612/2008
- Sugar and stamp act
- Basic stamp ii
- Time stamping in dbms
- 4 1/2 cent white house stamp
- 10 u.s.c. 1044a notary stamp
- Place stamp here
- Ca stamp format
- Physics or stamp collecting
- Joe louis postage stamp
- Basic stamp programming
- Migratory bird hunting stamp act of 1934
- Stamp violence assessment tool
- Stamp
- 10 usc 1044a
- Boston tea party stamp
- Dental dam hole punch sizes
- Place stamp here
- Place stamp here
- Pixpsd
- Incoming mail register
- Why did the colonists resent the stamp act?
- Stamp of the beast
- Meat inspection stamp philippines
- The stamp tax uproar
- Stamp act
- Sophie scholl thilde scholl
- Pan-african movement stamp
- Kennings for a hero
- Idaho quest card balance
- Stampli vendor portal
- Cdc stamp
- Stamp coupling in software engineering
- Collective nouns for banana
- Miss lawrence billie holiday
- What grade of seafood is marked with a stamp
- Cuda parallel reduction
- Mark bulle
- Of comfort no man speak
- Mark brehob