Identification of programs based on the behavior
Modelirovanie i analiz informacionnyh sistem, Tome 21 (2014) no. 6, pp. 120-130
Voir la notice de l'article provenant de la source Math-Net.Ru
The algorithm of pattern mining from sequences of system calls is described. Patterns are used for process identification or establishing the fact that some sequence of system calls was produced by the process which was used in pattern extraction. Existing algorithms are computationaly more complex or reveals high false positive runs in experiments in comparision with an automaton building algorithm. Our algorithm is less complex and more precise in comparision with the classical N-gram algorithm. Performance tests reveal that our kernel monitor does not significatly slow down the processing of the operating system. After 20 minutes of learning the algorithm is able to identify any thread of any process with 85% precision. Program identification based on behavior is used for anomaly detection of malicious activities in system.
Keywords:
behavior analysis, anomaly detection, pattern mining.
@article{MAIS_2014_21_6_a10,
author = {M. V. Baklanovsky and A. R. Khanov},
title = {Identification of programs based on the behavior},
journal = {Modelirovanie i analiz informacionnyh sistem},
pages = {120--130},
publisher = {mathdoc},
volume = {21},
number = {6},
year = {2014},
language = {ru},
url = {http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/}
}
TY - JOUR AU - M. V. Baklanovsky AU - A. R. Khanov TI - Identification of programs based on the behavior JO - Modelirovanie i analiz informacionnyh sistem PY - 2014 SP - 120 EP - 130 VL - 21 IS - 6 PB - mathdoc UR - http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/ LA - ru ID - MAIS_2014_21_6_a10 ER -
M. V. Baklanovsky; A. R. Khanov. Identification of programs based on the behavior. Modelirovanie i analiz informacionnyh sistem, Tome 21 (2014) no. 6, pp. 120-130. http://geodesic.mathdoc.fr/item/MAIS_2014_21_6_a10/