Identification of programs based on the behavior

M. V. Baklanovsky; A. R. Khanov

Geodesic

Parcourir par

Identification of programs based on the behavior

M. V. Baklanovsky ; A. R. Khanov

Modelirovanie i analiz informacionnyh sistem, Tome 21 (2014) no. 6, pp. 120-130.

Voir la notice de l'article provenant de la source Math-Net.Ru

Résumé

The algorithm of pattern mining from sequences of system calls is described. Patterns are used for process identification or establishing the fact that some sequence of system calls was produced by the process which was used in pattern extraction. Existing algorithms are computationaly more complex or reveals high false positive runs in experiments in comparision with an automaton building algorithm. Our algorithm is less complex and more precise in comparision with the classical N-gram algorithm. Performance tests reveal that our kernel monitor does not significatly slow down the processing of the operating system. After 20 minutes of learning the algorithm is able to identify any thread of any process with 85% precision. Program identification based on behavior is used for anomaly detection of malicious activities in system.

Keywords: behavior analysis, anomaly detection, pattern mining.

@article{MAIS_2014_21_6_a10,
     author = {M. V. Baklanovsky and A. R. Khanov},
     title = {Identification of programs based on the behavior},
     journal = {Modelirovanie i analiz informacionnyh sistem},
     pages = {120--130},
     publisher = {mathdoc},
     volume = {21},
     number = {6},
     year = {2014},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/}
}

TY  - JOUR
AU  - M. V. Baklanovsky
AU  - A. R. Khanov
TI  - Identification of programs based on the behavior
JO  - Modelirovanie i analiz informacionnyh sistem
PY  - 2014
SP  - 120
EP  - 130
VL  - 21
IS  - 6
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/
LA  - ru
ID  - MAIS_2014_21_6_a10
ER  -

%0 Journal Article
%A M. V. Baklanovsky
%A A. R. Khanov
%T Identification of programs based on the behavior
%J Modelirovanie i analiz informacionnyh sistem
%D 2014
%P 120-130
%V 21
%N 6
%I mathdoc
%U http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/
%G ru
%F MAIS_2014_21_6_a10

M. V. Baklanovsky; A. R. Khanov. Identification of programs based on the behavior. Modelirovanie i analiz informacionnyh sistem, Tome 21 (2014) no. 6, pp. 120-130. http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/

Bibliographie
Cité par

[1] A. Wespi, M. Dacier, H. Debar, “Intrusion Detection Using Variable-Length Audit Trail Patterns”, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, Springer-Verlag, London, UK, 2000, 110–129

[2] A. K. Ghosh, A. Schwartzbard, “A study in using neural networks for anomaly and misuse detection”, Proceedings of the 8th conference on USENIX Security Symposium, v. 8, USENIX Association Berkeley, Washington, D.C., 1999, 141–151

[3] D. Lo, S. Khoo, “Mining patterns and rules for software specification discovery”, Proceedings of the VLDB Endowment, VLDB Endowment, 2008, 1609–1616

[4] H. H. Feng, O. M. Kolesnikov, P. Fogla, W. Lee, W.Gong, “Anomaly detection using call stack information”, Proceedings 19th International Conference on Data Engineering, IEEE Computer Society, Washington, DC, USA, 2003, 62–75

[5] S. Forrest, S. A. Hofmeyr, A. Somayaji, T. A. Longstaff, “A Sense of Self for Unix Processes”, SP'96: Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society, Washington, DC, USA, 1996, 120–128 | DOI

[6] H. Debar, M. Dacier, M. Nassehi, A. Wespi, “Fixed vs. variable-length patterns for detecting suspicious process behavior”, J. Comput. Secur., 2000, 159–181

[7] K. Tan, R. Maxion, ““Why 6?” Defining the operational limits of stide, an anomaly-based intrusion detector”, SP'02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, IEEE Computer Society, Washington, DC, USA, 2002, 188–201 | DOI

[8] N. A. Milea, S. C. Khoo, D. Lo, C. Pop, “NORT: runtime anomaly-based monitoring of malicious behavior for windows”, Proceedings of the Second International Conference on Runtime Verification, Springer-Verlag, Berlin–Heidelberg, 2012, 115–130 | DOI

[9] R. Sekar, M. Bendre, D. Dhurjati, P. Bollineni, “A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors”, Proceedings of the 2001 IEEE Symposium on Security and Privacy, IEEE Computer Society, Washington, DC, USA, 2001, 144–155

[10] A. H. Steven, St. Forrest, A. Somayaji, “Intrusion detection using sequences of system calls”, Journal of Computer Security, 1998, 151–180

[11] C. Tankard, “Persistent threats and how to monitor and deter them”, Network Security, 2011, 16–19 | DOI

[12] C. Warrender, S. Forrest, B. Pearlmutter, “Detecting Intrusions Using System Calls: Alternative Data Models”, IEEE Symposium on security and privacy, IEEE Computer Society, Oakland, CA, 1999, 133–145

[13] R. S. Oderov, Y. D. Tensin, “Ways of code placing in a kernel of OS Microsoft Windows Server 2008”, Actual problems of organization and technology of information protection, Proceedings of interuniversity theoretical and practical conference, SPbNRU ITMO, SPb., 2011, 100–102

[14] A. R. Khanov, M. V. Baklanovsky, “Process identification based on external features”, Proceedings of all-Russian scientific conference on Informatics problems “SPISOK-2012”, SPbSU, SPb., 2012, 76–78

[15] A. R. Khanov, M. V. Baklanovsky, “CODA — novel system for computer security: review of system architecture”, XXXVIII Academic readings on Astronautics, Proceedings of section 22, M., 2014, 649–650