Identification of programs based on the behavior

M. V. Baklanovsky; A. R. Khanov

Geodesic

Parcourir par

Identification of programs based on the behavior

M. V. Baklanovsky ; A. R. Khanov

Modelirovanie i analiz informacionnyh sistem, Tome 21 (2014) no. 6, pp. 120-130

Voir la notice de l'article provenant de la source Math-Net.Ru

Résumé

The algorithm of pattern mining from sequences of system calls is described. Patterns are used for process identification or establishing the fact that some sequence of system calls was produced by the process which was used in pattern extraction. Existing algorithms are computationaly more complex or reveals high false positive runs in experiments in comparision with an automaton building algorithm. Our algorithm is less complex and more precise in comparision with the classical N-gram algorithm. Performance tests reveal that our kernel monitor does not significatly slow down the processing of the operating system. After 20 minutes of learning the algorithm is able to identify any thread of any process with 85% precision. Program identification based on behavior is used for anomaly detection of malicious activities in system.

Keywords: behavior analysis, anomaly detection, pattern mining.

@article{MAIS_2014_21_6_a10,
     author = {M. V. Baklanovsky and A. R. Khanov},
     title = {Identification of programs based on the behavior},
     journal = {Modelirovanie i analiz informacionnyh sistem},
     pages = {120--130},
     publisher = {mathdoc},
     volume = {21},
     number = {6},
     year = {2014},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/}
}

TY  - JOUR
AU  - M. V. Baklanovsky
AU  - A. R. Khanov
TI  - Identification of programs based on the behavior
JO  - Modelirovanie i analiz informacionnyh sistem
PY  - 2014
SP  - 120
EP  - 130
VL  - 21
IS  - 6
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/
LA  - ru
ID  - MAIS_2014_21_6_a10
ER  -

%0 Journal Article
%A M. V. Baklanovsky
%A A. R. Khanov
%T Identification of programs based on the behavior
%J Modelirovanie i analiz informacionnyh sistem
%D 2014
%P 120-130
%V 21
%N 6
%I mathdoc
%U http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/
%G ru
%F MAIS_2014_21_6_a10

M. V. Baklanovsky; A. R. Khanov. Identification of programs based on the behavior. Modelirovanie i analiz informacionnyh sistem, Tome 21 (2014) no. 6, pp. 120-130. http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/