%0 Journal Article %1 noauthororeditor %A Wunderlich, Sarah %A Ring, Markus %A Landes, Dieter %A Hotho, Andreas %D 2020 %J Logic Journal of the IGPL %K wundS %R 10.1007/978-3-030-20005-3_2 %T Comparison of System Call Representations for Intrusion Detection %V jzaa058 %X Over the years, artificial neural networks have been appliedsuccessfully in many areas including IT security. Yet, neural networkscan only process continuous input data. This is particularly challengingfor security-related non-continuous data like system calls. This work fo-cuses on four different options to preprocess sequences of system calls sothat they can be processed by neural networks. These input options arebased on one-hot encoding and learning word2vec or GloVe representa-tions of system calls. As an additional option, we analyze if the mappingof system calls to their respective kernel modules is an adequate gen-eralization step for (a) replacing system calls or (b) enhancing systemcall data with additional information regarding their context. However,when performing such preprocessing steps it is important to ensure thatno relevant information is lost during the process. The overall objec-tive of system call based intrusion detection is to categorize sequences ofsystem calls as benign or malicious behavior. Therefore, this scenario isused to evaluate the different input options as a classification task. Theresults show, that each of the four different methods is a valid optionwhen preprocessing input data, but the use of kernel modules only isnot recommended because too much information is being lost during themapping process.

@article{noauthororeditor, abstract = {Over the years, artificial neural networks have been appliedsuccessfully in many areas including IT security. Yet, neural networkscan only process continuous input data. This is particularly challengingfor security-related non-continuous data like system calls. This work fo-cuses on four different options to preprocess sequences of system calls sothat they can be processed by neural networks. These input options arebased on one-hot encoding and learning word2vec or GloVe representa-tions of system calls. As an additional option, we analyze if the mappingof system calls to their respective kernel modules is an adequate gen-eralization step for (a) replacing system calls or (b) enhancing systemcall data with additional information regarding their context. However,when performing such preprocessing steps it is important to ensure thatno relevant information is lost during the process. The overall objec-tive of system call based intrusion detection is to categorize sequences ofsystem calls as benign or malicious behavior. Therefore, this scenario isused to evaluate the different input options as a classification task. Theresults show, that each of the four different methods is a valid optionwhen preprocessing input data, but the use of kernel modules only isnot recommended because too much information is being lost during themapping process.}, added-at = {2021-02-02T14:35:29.000+0100}, author = {Wunderlich, Sarah and Ring, Markus and Landes, Dieter and Hotho, Andreas}, biburl = {https://www.bibsonomy.org/bibtex/2440835c497fc62b24e2d59ec02d23675/baywiss1}, doi = {10.1007/978-3-030-20005-3_2}, interhash = {f60c80d0526313875e285bfc285559ab}, intrahash = {440835c497fc62b24e2d59ec02d23675}, journal = {Logic Journal of the IGPL}, keywords = {wundS}, timestamp = {2021-02-15T09:49:16.000+0100}, title = {Comparison of System Call Representations for Intrusion Detection}, volume = {jzaa058}, year = 2020 }