ARMOUR: An Application-Level Threat Detection Framework

Conventional security mechanisms at network, host, and source code levels are no longer sufficient in detecting and responding to increasingly dynamic and sophisticated cyber threats today. Detecting malicious behavior at the application level can help better understand the intent of the threat and strengthen overall system security posture. To that end, we have developed an innovative, use case-driven framework called ARMOUR (which standards for Association Rules Mining Of Undesired behavioR) that involves mining software component interactions from system execution history and applying an adaptive detection algorithm to identify potential malicious behavior. The framework uses unsupervised learning; can perform fast, "inline" detection in near real time; and can quickly adapt to system load fluctuations and other concept drifts. Our evaluation of the approach against a real Emergency Deployment System has demonstrated very promising results.

[ARMOUR picture]

As depicted in the diagram above, the ARMOUR framework consists of two major phases:

The contributions of our architecture-based framework, dubbed Association Rules Mining Of Undesired behavioR (ARMOUR), consist of three key elements: use case-informed monitoring of system execution history at the component level, the novel use of Association Rules mining to build a normal-use behavior model of the target system, and an efficient and adaptive algorithm that applies the model to anomaly detection. Our approach is different from many existing approaches in the following aspects:

The source code for simulating the Emergency Deployment System (EDS), a real component-based software system, can be found here.

More detailed evaluation results are also available.

Publications

More details about ARMOUR can be found in our publication:

[seal's logo]
[uci's logo]