Thumbnail Image
Item

Integrating system calls and position-specific scoring for enhanced anomaly detection in Internet of Things environments

Shamim, Nouman
Asim, Muhammad
Baker, Thar
Awad, Ali Ismail
Zomaya, Albert Y.
Authors
Shamim, Nouman
 Asim, Muhammad
 Baker, Thar
 Pervez, Zeeshan
 Awad, Ali Ismail
 Zomaya, Albert Y.
Editors
Other contributors
Affiliation
School of Engineering, Computing, and Mathematical Sciences, University of Wolverhampton
Epub Date
Issue Date
2025-08-20
Submitted date
Subjects
internet of things
 IoT
 IoT security
 attack detection
 anomaly detection
 system calls analysis
 position-specific scoring
Show all metadata
Files
Thumbnail Image
1-s2.0-S0167404825003025-main.pdf
Adobe PDF2.8 MB
Alternative
Abstract
Identifying attacks on Internet of Things (IoT) systems through anomaly detection is an effective approach and remains a crucial area of research. The core method involves collecting system-related data during normal operation to establish a baseline of typical behavior and then continuously monitoring for deviations from this baseline. Using system call sequences for anomaly detection is a well-established and important field. System call sequences effectively capture the behavior of a target system at a low level, allowing identification of any changes in this behavior; however, these approaches face several challenges, including high false-positive rates, the need for segmentation of long sequences, and the difficulty of detecting anomalies when the system call data comes from multiple processes. This work presents a novel anomaly-detection approach that uses a position-specific scoring mechanism to analyze the content and structural properties of system call sequences. The proposed approach addresses key challenges in this field, including fixed-length segmentation of system call sequences, predetermined anomaly-detection thresholds, the detection of anomalies in both single and multiple processes, and high false-positive rates. We extensively evaluated the proposed approach using system-call-specific public datasets (ADFA-LD and UNM) of a diverse nature. The performance of the proposed content-based, structure-based, and combined content- and structure-based anomaly-detection methods was evaluated using ten-fold cross-validation. The proposed anomaly-detection approach achieves an impressive detection rate of 1.0, along with exceptionally low false-positive rates of 0.001 and 0.017 when evaluated on the UNM and ADFA-LD datasets, respectively.
Citation
Shamim, N., Asim, M., Baker, T., Pervez, Z., Awad, A.I. and Zomaya, A.Y. (2025) Integrating system calls and position-specific scoring for enhanced anomaly detection in Internet of Things environments. Computers and Security, 158, 104613.
Publisher
Elsevier
Journal
Computers and Security
Research Unit
URI
https://wlv.openrepository.com/handle/2436/626062
DOI
10.1016/j.cose.2025.104613
PubMed ID
PubMed Central ID
Embedded videos
Additional Links
https://doi.org/10.1016/j.cose.2025.104613
Type
Journal article
Language
en
Description
© 2025 The Authors. Published by Elsevier. This is an open access article available under a Creative Commons licence. The published version can be accessed at the following link on the publisher’s website: https://doi.org/10.1016/j.cose.2025.104613
Series/Report no.
ISSN
0167-4048
EISSN
ISBN
ISMN
Gov't Doc #
Sponsors
This research was supported by the UAEU Program for Advanced Research (UPAR) grant, United Arab Emirates University (UAEU) , under Grant No. 12T086.
Rights
Research Projects
Organizational Units
Journal Issue
Embedded videos
Collections
Faculty of Science and Engineering