Anomaly Detection Support Using Process Classification
This addresses the need for context-aware anomaly detection in cybersecurity, but it appears incremental as it applies existing methods to a specific domain.
The paper tackled the problem of inferring program names from system events to improve anomaly detection by modeling transition probabilities and using k-nearest neighbors, achieving results that suggest correct inference on real-world data.
Anomaly detection systems need to consider a lot of information when scanning for anomalies. One example is the context of the process in which an anomaly might occur, because anomalies for one process might not be anomalies for a different one. Therefore data -- such as system events -- need to be assigned to the program they originate from. This paper investigates whether it is possible to infer from a list of system events the program whose behavior caused the occurrence of these system events. To that end, we model transition probabilities between non-equivalent events and apply the $k$-nearest neighbors algorithm. This system is evaluated on non-malicious, real-world data using four different evaluation scores. Our results suggest that the approach proposed in this paper is capable of correctly inferring program names from system events.