NORT: Runtime Anomaly-Based Monitoring of Malicious Behavior for Windows

Milea, Narcisa Andreea; Khoo, Siau Cheng; Lo, David; Pop, Cristian

doi:10.1007/978-3-642-29860-8_10

Cited by 9 publications

(4 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Speci cally, in [22], the authors use system call tracing to implement intrusion detection systems (IDS). Also, in [25] and [60], the authors proposed anomaly detection mechanism based on information obtained from system calls behavior analysis. In these cases, the implementation of the security tools resulted too heavy in terms of system overhead.…”

Section: Related Workmentioning

confidence: 99%

A System-level Behavioral Detection Framework for Compromised CPS Devices

Babun

Aksu

Uluagac

2019

ACM Trans. Cyber-Phys. Syst.

View full text Add to dashboard Cite

Cyber-Physical Systems (CPS) play a signi cant role in our critical infrastructure networks from power-distribution to utility networks. e emerging smart-grid concept is a compelling critical CPS infrastructure that relies on two-way communications between smart devices to increase e ciency, enhance reliability, and reduce costs. However, compromised devices in the smart grid poses several security challenges. Consequences of propagating fake data or stealing sensitive smart grid information via compromised devices are costly. Hence, early behavioral detection of compromised devices is critical for protecting the smart grid's components and data. To address these concerns, in this paper, we introduce a novel and con gurable system-level framework to identify compromised smart grid devices. e framework combines system and function call tracing techniques with signal processing and statistical analysis to detect compromised devices based on their behavioral characteristics. We measure the e cacy of our framework with a realistic smart grid substation testbed that includes both resource-limited and resource-rich devices. In total, using our framework, we analyze six di erent types of compromised device scenarios with di erent resources and a ack payloads. To the best of our knowledge, the proposed framework is the rst in detecting compromised CPS smart grid devices with system and function-level call tracing techniques. e experimental results reveal an excellent rate for the detection of compromised devices. Speci cally, performance metrics include accuracy values between 95% and 99% for the di erent a ack scenarios. Finally, the performance analysis demonstrates that the use of the proposed framework has minimal overhead on the smart grid devices' computing resources.

show abstract

Section: Related Workmentioning

confidence: 99%

A System-level Behavioral Detection Framework for Compromised CPS Devices

Babun

Aksu

Uluagac

2019

ACM Trans. Cyber-Phys. Syst.

View full text Add to dashboard Cite

show abstract

“…A seminal idea of Forrest et al [11] for behavior-based analysis was to profile benign and malign processes on the basis of characteristic system call sequences (n-grams). This approach was later refined and combined machine learning methods to improve classification effectiveness [21,14,19,23,31]. Similar ideas were also used to classify malware w.r.t.…”

Section: Related Workmentioning

confidence: 99%

Robust and Effective Malware Detection Through Quantitative Data Flow Graph Metrics

Wüchner

Ochoa

Pretschner

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We present a novel malware detection approach based on metrics over quantitative data flow graphs. Quantitative data flow graphs (QDFGs) model process behavior by interpreting issued system calls as aggregations of quantifiable data flows. Due to the high abstraction level we consider QDFG metric based detection more robust against typical behavior obfuscation like bogus call injection or call reordering than other common behavioral models that base on raw system calls. We support this claim with experiments on obfuscated malware logs and demonstrate the superior obfuscation robustness in comparison to detection using ngrams. Our evaluations on a large and diverse data set consisting of about 7000 malware and 500 goodware samples show an average detection rate of 98.01% and a false positive rate of 0.48%. Moreover, we show that our approach is able to detect new malware (i.e. samples from malware families not included in the training set) and that the consideration of quantities in itself significantly improves detection precision.

show abstract

“…Например, существует алгоритм, который использует аргументы системных вызовов для того, чтобы раз-делить последовательность вызовов на подпоследовательности, которые работают с одними и теми же дескрипторами (Milea, 2012).…”

Section: предыдущие работыunclassified

“…Аналогичные тесты были проведены при работе над системой NORT (Milea, 2012). Эта система замедляла работу ОС не более чем на 10%.…”

Section: тесты производительности монитораunclassified

Identification of Programs Based on the Behavior

Baklanovsky¹,

Khanov²

2014

Model. anal. inf. sist.

View full text Add to dashboard Cite

получена 19 сентября 2014Ключевые слова: поведенческий анализ, аномальное обнаружение, выделение шаблонов В работе описан алгоритм выделения шаблонов переменной длины из по-следовательностей системных вызовов. Эти шаблоны используются для иден-тификации процессов -установления того, что некоторая последовательность вызовов была сгенерирована тем же самым процессом, из которого были выде-лены шаблоны. Существующие алгоритмы либо вычислительно сложны, либо имеют высокий уровень ложных срабатываний по сравнению со сложным и ненадежным автоматным подходом. Предложенный в работе алгоритм имеет низкую вычислительную сложность и большую точность, чем классический N-граммный алгоритм. Тесты производительности показали, что реализованный монитор системных вызовов несущественно замедляет работу операционной системы. Предложенный алгоритм после двадцатиминутного обучения спосо-бен идентифицировать за одну минуту потоки процессов с точностью 85%. Поведенческая идентификация потоков программ используется для аномаль-ного обнаружения вредоносных воздействий на систему.

show abstract

NORT: Runtime Anomaly-Based Monitoring of Malicious Behavior for Windows

Cited by 9 publications

References 7 publications

A System-level Behavioral Detection Framework for Compromised CPS Devices

A System-level Behavioral Detection Framework for Compromised CPS Devices

Robust and Effective Malware Detection Through Quantitative Data Flow Graph Metrics

Identification of Programs Based on the Behavior

Contact Info

Product

Resources

About