{"id":"https://openalex.org/W1566884194","doi":"https://doi.org/10.1109/cisda.2015.7208644","title":"A trace abstraction approach for host-based anomaly detection","display_name":"A trace abstraction approach for host-based anomaly detection","publication_year":2015,"publication_date":"2015-05-01","ids":{"openalex":"https://openalex.org/W1566884194","doi":"https://doi.org/10.1109/cisda.2015.7208644","mag":"1566884194"},"language":"en","primary_location":{"id":"doi:10.1109/cisda.2015.7208644","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cisda.2015.7208644","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2015 IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5032967266","display_name":"Syed Shariyar Murtaza","orcid":"https://orcid.org/0000-0003-3330-4783"},"institutions":[{"id":"https://openalex.org/I60158472","display_name":"Concordia University","ror":"https://ror.org/0420zvk78","country_code":"CA","type":"education","lineage":["https://openalex.org/I60158472"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Syed Shariyar Murtaza","raw_affiliation_strings":["Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montreal, QC, Canada","[Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montr\u00e9al, QC, Canada]"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montreal, QC, Canada","institution_ids":["https://openalex.org/I60158472"]},{"raw_affiliation_string":"[Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montr\u00e9al, QC, Canada]","institution_ids":["https://openalex.org/I60158472"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5035349718","display_name":"Wael Khreich","orcid":null},"institutions":[{"id":"https://openalex.org/I60158472","display_name":"Concordia University","ror":"https://ror.org/0420zvk78","country_code":"CA","type":"education","lineage":["https://openalex.org/I60158472"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Wael Khreich","raw_affiliation_strings":["Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montreal, QC, Canada","[Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montr\u00e9al, QC, Canada]"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montreal, QC, Canada","institution_ids":["https://openalex.org/I60158472"]},{"raw_affiliation_string":"[Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montr\u00e9al, QC, Canada]","institution_ids":["https://openalex.org/I60158472"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058884064","display_name":"Abdelwahab Hamou\u2010Lhadj","orcid":"https://orcid.org/0000-0002-3319-5006"},"institutions":[{"id":"https://openalex.org/I60158472","display_name":"Concordia University","ror":"https://ror.org/0420zvk78","country_code":"CA","type":"education","lineage":["https://openalex.org/I60158472"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Abdelwahab Hamou-Lhadj","raw_affiliation_strings":["Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montreal, QC, Canada","[Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montr\u00e9al, QC, Canada]"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montreal, QC, Canada","institution_ids":["https://openalex.org/I60158472"]},{"raw_affiliation_string":"[Software Behaviour Analysis (SBA) Research Lab ECE, Concordia University, Montr\u00e9al, QC, Canada]","institution_ids":["https://openalex.org/I60158472"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5079136654","display_name":"St\u00e9phane Gagnon","orcid":"https://orcid.org/0000-0001-7732-9849"},"institutions":[{"id":"https://openalex.org/I33217400","display_name":"Universit\u00e9 du Qu\u00e9bec en Outaouais","ror":"https://ror.org/011pqxa69","country_code":"CA","type":"education","lineage":["https://openalex.org/I33217400","https://openalex.org/I49663120"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Stephane Gagnon","raw_affiliation_strings":["Departement des sciences administratives, Universit\u00e9 du Qu\u00e9bec en Outaouais, Gatineau, QC, Canada","D\u00e9partement des sciences administratives, universit\u00e9 du Qu\u00e9bec en Outaouais, Gatineau, QC, Canada"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Departement des sciences administratives, Universit\u00e9 du Qu\u00e9bec en Outaouais, Gatineau, QC, Canada","institution_ids":["https://openalex.org/I33217400"]},{"raw_affiliation_string":"D\u00e9partement des sciences administratives, universit\u00e9 du Qu\u00e9bec en Outaouais, Gatineau, QC, Canada","institution_ids":["https://openalex.org/I33217400"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":3.1559,"has_fulltext":false,"cited_by_count":19,"citation_normalized_percentile":{"value":0.92130306,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":"3","issue":null,"first_page":"1","last_page":"8"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9973000288009644,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.8297102451324463},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8228351473808289},{"id":"https://openalex.org/keywords/trace","display_name":"TRACE (psycholinguistics)","score":0.729487419128418},{"id":"https://openalex.org/keywords/abstraction","display_name":"Abstraction","score":0.6686860918998718},{"id":"https://openalex.org/keywords/system-call","display_name":"System call","score":0.6368495225906372},{"id":"https://openalex.org/keywords/host","display_name":"Host (biology)","score":0.6207298040390015},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.586702287197113},{"id":"https://openalex.org/keywords/hidden-markov-model","display_name":"Hidden Markov model","score":0.5762984156608582},{"id":"https://openalex.org/keywords/kernel","display_name":"Kernel (algebra)","score":0.5343220829963684},{"id":"https://openalex.org/keywords/embedding","display_name":"Embedding","score":0.5125331878662109},{"id":"https://openalex.org/keywords/anomaly","display_name":"Anomaly (physics)","score":0.5016555786132812},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.42720162868499756},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.41488102078437805},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.27016568183898926},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.215660959482193},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.12916973233222961}],"concepts":[{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.8297102451324463},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8228351473808289},{"id":"https://openalex.org/C75291252","wikidata":"https://www.wikidata.org/wiki/Q1315756","display_name":"TRACE (psycholinguistics)","level":2,"score":0.729487419128418},{"id":"https://openalex.org/C124304363","wikidata":"https://www.wikidata.org/wiki/Q673661","display_name":"Abstraction","level":2,"score":0.6686860918998718},{"id":"https://openalex.org/C2778579508","wikidata":"https://www.wikidata.org/wiki/Q722192","display_name":"System call","level":2,"score":0.6368495225906372},{"id":"https://openalex.org/C126831891","wikidata":"https://www.wikidata.org/wiki/Q221673","display_name":"Host (biology)","level":2,"score":0.6207298040390015},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.586702287197113},{"id":"https://openalex.org/C23224414","wikidata":"https://www.wikidata.org/wiki/Q176769","display_name":"Hidden Markov model","level":2,"score":0.5762984156608582},{"id":"https://openalex.org/C74193536","wikidata":"https://www.wikidata.org/wiki/Q574844","display_name":"Kernel (algebra)","level":2,"score":0.5343220829963684},{"id":"https://openalex.org/C41608201","wikidata":"https://www.wikidata.org/wiki/Q980509","display_name":"Embedding","level":2,"score":0.5125331878662109},{"id":"https://openalex.org/C12997251","wikidata":"https://www.wikidata.org/wiki/Q567560","display_name":"Anomaly (physics)","level":2,"score":0.5016555786132812},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.42720162868499756},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.41488102078437805},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.27016568183898926},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.215660959482193},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.12916973233222961},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.0},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C114614502","wikidata":"https://www.wikidata.org/wiki/Q76592","display_name":"Combinatorics","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C26873012","wikidata":"https://www.wikidata.org/wiki/Q214781","display_name":"Condensed matter physics","level":1,"score":0.0},{"id":"https://openalex.org/C41895202","wikidata":"https://www.wikidata.org/wiki/Q8162","display_name":"Linguistics","level":1,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C18903297","wikidata":"https://www.wikidata.org/wiki/Q7150","display_name":"Ecology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/cisda.2015.7208644","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cisda.2015.7208644","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2015 IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.6600000262260437,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[{"id":"https://openalex.org/F4320320965","display_name":"University of New South Wales","ror":"https://ror.org/03r8z3t63"},{"id":"https://openalex.org/F4320334593","display_name":"Natural Sciences and Engineering Research Council of Canada","ror":"https://ror.org/01h531d29"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":45,"referenced_works":["https://openalex.org/W1496741998","https://openalex.org/W1541198780","https://openalex.org/W1562890122","https://openalex.org/W1673935915","https://openalex.org/W1941427975","https://openalex.org/W1948664808","https://openalex.org/W1981738628","https://openalex.org/W1992602600","https://openalex.org/W1993943803","https://openalex.org/W2005482001","https://openalex.org/W2006862475","https://openalex.org/W2007087405","https://openalex.org/W2046255282","https://openalex.org/W2055510056","https://openalex.org/W2085305295","https://openalex.org/W2093488494","https://openalex.org/W2095979141","https://openalex.org/W2100533862","https://openalex.org/W2101899163","https://openalex.org/W2106442760","https://openalex.org/W2118372007","https://openalex.org/W2118528519","https://openalex.org/W2125838338","https://openalex.org/W2129860818","https://openalex.org/W2135143063","https://openalex.org/W2139731313","https://openalex.org/W2147191819","https://openalex.org/W2148324316","https://openalex.org/W2152955798","https://openalex.org/W2155293476","https://openalex.org/W2161085373","https://openalex.org/W2164219553","https://openalex.org/W2166855330","https://openalex.org/W2167240430","https://openalex.org/W2182003360","https://openalex.org/W2183982463","https://openalex.org/W2405151678","https://openalex.org/W2582743722","https://openalex.org/W3136767761","https://openalex.org/W4229772528","https://openalex.org/W6633776688","https://openalex.org/W6637492030","https://openalex.org/W6642210281","https://openalex.org/W6651897804","https://openalex.org/W6684614861"],"related_works":["https://openalex.org/W1557094818","https://openalex.org/W2053269318","https://openalex.org/W2364370872","https://openalex.org/W4214835788","https://openalex.org/W1996865198","https://openalex.org/W11100131","https://openalex.org/W1805274772","https://openalex.org/W1975539049","https://openalex.org/W2110884578","https://openalex.org/W2461112681"],"abstract_inverted_index":{"High":[0],"false":[1,114],"alarm":[2],"rates":[3],"and":[4,56,76,99,116],"execution":[5,31,119],"times":[6,120],"are":[7],"among":[8],"the":[9,22,30,38,58,88],"key":[10,42],"issues":[11],"in":[12],"host-based":[13,128],"anomaly":[14,34,66,129],"detection":[15,67,130],"systems.":[16,131],"In":[17],"this":[18],"paper,":[19],"we":[20],"investigate":[21],"use":[23,57],"of":[24,33,52],"trace":[25],"abstraction":[26],"techniques":[27],"for":[28,127],"reducing":[29],"time":[32],"detectors":[35],"while":[36],"keeping":[37],"same":[39],"accuracy.":[40],"The":[41,101],"idea":[43],"is":[44],"to":[45,64,110,122],"represent":[46],"system":[47,124],"call":[48,125],"traces":[49,51,61,107,126],"as":[50,62,70,92,94],"kernel":[53,105],"module":[54,106],"interactions":[55],"resulting":[59],"abstract":[60],"input":[63],"known":[65],"techniques,":[68],"such":[69],"STIDE":[71],"(the":[72],"Sequence":[73],"Time-Delay":[74],"Embedding)":[75],"HMM":[77],"(Hidden":[78],"Markov":[79],"Models).":[80],"We":[81],"performed":[82],"experiments":[83],"on":[84],"three":[85],"datasets,":[86,97],"namely,":[87],"traditional":[89],"UNM":[90],"dataset":[91],"well":[93],"two":[95],"modern":[96],"Firefox":[98],"ADFA-LD.":[100],"results":[102],"show":[103],"that":[104],"can":[108],"lead":[109],"similar":[111],"or":[112],"fewer":[113],"alarms":[115],"considerably":[117],"smaller":[118],"compared":[121],"raw":[123]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":2},{"year":2020,"cited_by_count":3},{"year":2019,"cited_by_count":1},{"year":2018,"cited_by_count":6},{"year":2017,"cited_by_count":3}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}
