An Application-Level Threat Detection Framework (ARMOUR)

Conventional security mechanisms at network, host, and source code levels are no longer sufficient in detecting and responding to increasingly dynamic and sophisticated cyber threats today. Detecting malicious behavior at the application level can help better understand the intent of the threat and strengthen overall system security posture. To that end, we have developed an innovative, use case-driven framework called ARMOUR (which standards for Association Rules Mining Of Undesired behavioR) that involves mining software component interactions from system execution history and applying an adaptive detection algorithm to identify potential malicious behavior. The framework uses unsupervised learning; can perform fast, "inline" detection in near real time; and can quickly adapt to system load fluctuations and other concept drifts. Our evaluation of the approach against a real Emergency Deployment System has demonstrated very promising results.
ARMOUR Framework Overview