<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">mais</journal-id><journal-title-group><journal-title xml:lang="ru">Моделирование и анализ информационных систем</journal-title><trans-title-group xml:lang="en"><trans-title>Modeling and Analysis of Information Systems</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1818-1015</issn><issn pub-type="epub">2313-5417</issn><publisher><publisher-name>Yaroslavl State University</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.18255/1818-1015-2014-6-120-130</article-id><article-id custom-type="elpub" pub-id-type="custom">mais-76</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>Оригинальные статьи</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>Articles</subject></subj-group></article-categories><title-group><article-title>Поведенческая идентификация программ</article-title><trans-title-group xml:lang="en"><trans-title>Identification of Programs Based on the Behavior</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Баклановский</surname><given-names>Максим Викторович</given-names></name><name name-style="western" xml:lang="en"><surname>Baklanovsky</surname><given-names>M. V.</given-names></name></name-alternatives><bio xml:lang="ru"><p>ст. преподаватель, 198504, Санкт-Петербург, Петергоф, Университетский пр., дом 28</p></bio><bio xml:lang="en"><p>ст. преподаватель, Saint-Petersburg, Petergof, Universitetskii pr., 28, 198504, Russia</p></bio><email xlink:type="simple">m.baklanovsky@spbu.ru</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Ханов</surname><given-names>Артур Рафаэльевич</given-names></name><name name-style="western" xml:lang="en"><surname>Khanov</surname><given-names>A. R.</given-names></name></name-alternatives><bio xml:lang="ru"><p>аспирант, 198504, Санкт-Петербург, Петергоф, Университетский пр., дом 28</p></bio><bio xml:lang="en"><p>аспирант, Saint-Petersburg, Petergof, Universitetskii pr., 28, 198504, Russia</p></bio><email xlink:type="simple">m.baklanovsky@spbu.ru</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Санкт-Петербургский государственный университет</institution><country>Россия</country></aff><aff xml:lang="en"><institution>Saint Petersburg State University</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2014</year></pub-date><pub-date pub-type="epub"><day>20</day><month>12</month><year>2014</year></pub-date><volume>21</volume><issue>6</issue><fpage>120</fpage><lpage>130</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Баклановский М.В., Ханов А.Р., 2014</copyright-statement><copyright-year>2014</copyright-year><copyright-holder xml:lang="ru">Баклановский М.В., Ханов А.Р.</copyright-holder><copyright-holder xml:lang="en">Baklanovsky M.V., Khanov A.R.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://www.mais-journal.ru/jour/article/view/76">https://www.mais-journal.ru/jour/article/view/76</self-uri><abstract><p>В работе описан алгоритм выделения шаблонов переменной длины из последовательностей системных вызовов. Эти шаблоны используются для идентификации процессов – установления того, что некоторая последовательность вызовов была сгенерирована тем же самым процессом, из которого были выделены шаблоны. Существующие алгоритмы либо вычислительно сложны, либо имеют высокий уровень ложных срабатываний по сравнению со сложным и ненадежным автоматным подходом. Предложенный в работе алгоритм имеет низкую вычислительную сложность и большую точность, чем классический N-граммный алгоритм. Тесты производительности показали, что реализованный монитор системных вызовов несущественно замедляет работу операционной системы. Предложенный алгоритм после двадцатиминутного обучения способен идентифицировать за одну минуту потоки процессов с точностью 85%. Поведенческая идентификация потоков программ используется для аномального обнаружения вредоносных воздействий на систему.</p></abstract><trans-abstract xml:lang="en"><p>The algorithm of pattern mining from sequences of system calls is described. Patterns are used for process identification or establishing the fact that some sequence of system calls was produced by the process which was used in pattern extraction. Existing algorithms are computationaly more complex or reveals high false positive runs in experiments in comparision with an automaton building algorithm. Our algorithm is less complex and more precise in comparision with the classical N-gram algorithm. Performance tests reveal that our kernel monitor does not significatly slow down the processing of the operating system. After 20 minutes of learning the algorithm is able to identify any thread of any process with 85% precision. Program identification based on behavior is used for anomaly detection of malicious activities in system.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>поведенческий анализ</kwd><kwd>аномальное обнаружение</kwd><kwd>выделение шаблонов</kwd></kwd-group><kwd-group xml:lang="en"><kwd>behavior analysis</kwd><kwd>anomaly detection</kwd><kwd>pattern mining</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Andreas Wespi, Marc Dacier, and Herv Debar. Intrusion Detection Using Variable-Length Audit Trail Patterns // Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection. London, UK, UK: Springer-Verlag, 2000. P. 110–129.</mixed-citation><mixed-citation xml:lang="en">Andreas Wespi, Marc Dacier, and Herv Debar. Intrusion Detection Using Variable-Length Audit Trail Patterns // Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection. London, UK, UK: Springer-Verlag, 2000. P. 110–129.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Anup K. Ghosh, Aaron Schwartzbard. A study in using neural networks for anomaly and misuse detection // Proceedings of the 8th conference on USENIX Security Symposium. Vol. 8. Washington, D.C.: USENIX Association Berkeley, 1999. P. 141–151.</mixed-citation><mixed-citation xml:lang="en">Anup K. Ghosh, Aaron Schwartzbard. A study in using neural networks for anomaly and misuse detection // Proceedings of the 8th conference on USENIX Security Symposium. Vol. 8. Washington, D.C.: USENIX Association Berkeley, 1999. P. 141–151.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">D.Lo, S.Khoo Mining patterns and rules for software specification discovery // Proceedings of the VLDB Endowment. VLDB Endowment, 2008. P. 1609–1616.</mixed-citation><mixed-citation xml:lang="en">D.Lo, S.Khoo Mining patterns and rules for software specification discovery // Proceedings of the VLDB Endowment. VLDB Endowment, 2008. P. 1609–1616.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Feng, Henry Hanping and Kolesnikov, Oleg M. and Fogla, Prahlad and Lee, Wenke and Gong, Weibo Anomaly detection using call stack information // Proceedings 19th International Conference on Data Engineering. Washington, DC, USA: IEEE Computer Society, 2003. P. 62–75.</mixed-citation><mixed-citation xml:lang="en">Feng, Henry Hanping and Kolesnikov, Oleg M. and Fogla, Prahlad and Lee, Wenke and Gong, Weibo Anomaly detection using call stack information // Proceedings 19th International Conference on Data Engineering. Washington, DC, USA: IEEE Computer Society, 2003. P. 62–75.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A. A Sense of Self for Unix Processes // Proceeding SP ’96 Proceedings of the 1996 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 1996. P. 120–128.</mixed-citation><mixed-citation xml:lang="en">Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A. A Sense of Self for Unix Processes // Proceeding SP ’96 Proceedings of the 1996 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 1996. P. 120–128.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">H. Debar, M. Dacier, M. Nassehi, A. Wespi. Fixed vs. variable-length patterns for detecting suspicious process behavior // J. Comput. Secur. IOS Press, 2000. P. 159–181.</mixed-citation><mixed-citation xml:lang="en">H. Debar, M. Dacier, M. Nassehi, A. Wespi. Fixed vs. variable-length patterns for detecting suspicious process behavior // J. Comput. Secur. IOS Press, 2000. P. 159–181.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">K. Tan, R. Maxion "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector // SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 2002. P. 188–201.</mixed-citation><mixed-citation xml:lang="en">K. Tan, R. Maxion "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector // SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 2002. P. 188–201.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Milea, Narcisa Andreea and Khoo, Siau Cheng and Lo, David and Pop, Cristian NORT: runtime anomaly-based monitoring of malicious behavior for windows // Proceedings of the Second International Conference on Runtime Verification. Berlin, Heidelberg: SpringerVerlag, 2012. P. 115–130.</mixed-citation><mixed-citation xml:lang="en">Milea, Narcisa Andreea and Khoo, Siau Cheng and Lo, David and Pop, Cristian NORT: runtime anomaly-based monitoring of malicious behavior for windows // Proceedings of the Second International Conference on Runtime Verification. Berlin, Heidelberg: SpringerVerlag, 2012. P. 115–130.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Sekar R., Bendre M., Dhurjati D., Bollineni P. A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors // Proceedings of the 2001 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 2001. P. 144–155.</mixed-citation><mixed-citation xml:lang="en">Sekar R., Bendre M., Dhurjati D., Bollineni P. A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors // Proceedings of the 2001 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 2001. P. 144–155.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Steven A. Hofmeyr, Stephanie Forrest , Anil Somayaji Intrusion detection using sequences of system calls // Journal of Computer Security. 1998. P. 151–180.</mixed-citation><mixed-citation xml:lang="en">Steven A. Hofmeyr, Stephanie Forrest , Anil Somayaji Intrusion detection using sequences of system calls // Journal of Computer Security. 1998. P. 151–180.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Tankard, Colin. Persistent threats and how to monitor and deter them. Network Security, 2011. P. 16–19.</mixed-citation><mixed-citation xml:lang="en">Tankard, Colin. Persistent threats and how to monitor and deter them. Network Security, 2011. P. 16–19.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Warrender Christina, Forrest Stephanie, Pearlmutter Barak. Detecting Intrusions Using System Calls: Alternative Data Models // IEEE Symposium on security and privacy. Oakland, CA: IEEE Computer Society, 1999. P. 133–145.</mixed-citation><mixed-citation xml:lang="en">Warrender Christina, Forrest Stephanie, Pearlmutter Barak. Detecting Intrusions Using System Calls: Alternative Data Models // IEEE Symposium on security and privacy. Oakland, CA: IEEE Computer Society, 1999. P. 133–145.</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Одеров Р.С., Тенсин Е.Д. Способы размещения своего кода в ядре ОС Microsoft Windows Server 2008 // Сборник трудов межвузовской научно-практической конференции "Актуальные проблемы организации и технологии защиты информации". Санкт-Петербург: СПбНИУ ИТМО, 2011. C. 100–102. (English transl.: Oderov R.S., Tensin Y.D. Ways of code placing in a kernel of OS Microsoft Windows Server 2008// Proceedings of interuniversity theoretical and practical conference "Actual problems of organization and technology of information protection". Saint-Petersburg: SPbNRU ITMO, 2011. P. 100–102).</mixed-citation><mixed-citation xml:lang="en">Одеров Р.С., Тенсин Е.Д. Способы размещения своего кода в ядре ОС Microsoft Windows Server 2008 // Сборник трудов межвузовской научно-практической конференции "Актуальные проблемы организации и технологии защиты информации". Санкт-Петербург: СПбНИУ ИТМО, 2011. C. 100–102. (English transl.: Oderov R.S., Tensin Y.D. Ways of code placing in a kernel of OS Microsoft Windows Server 2008// Proceedings of interuniversity theoretical and practical conference "Actual problems of organization and technology of information protection". Saint-Petersburg: SPbNRU ITMO, 2011. P. 100–102).</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Ханов А.Р., Баклановский М.В. Идентификация процессов программ по внешним признакам // Материалы всероссийской научной конференции по проблемам информатики "СПИСОК-2012". Санкт-Петербург: СПбГУ, 2012. C. 76–78. (English transl.: Khanov A.R., Baklanovsky M.V. Process identification based on external features // Proceedings of all-Russian scientific conference on Informatics problems "SPISOK-2012". Saint-Petersburg: SPbSU, 2012. P. 76–78.)</mixed-citation><mixed-citation xml:lang="en">Ханов А.Р., Баклановский М.В. Идентификация процессов программ по внешним признакам // Материалы всероссийской научной конференции по проблемам информатики "СПИСОК-2012". Санкт-Петербург: СПбГУ, 2012. C. 76–78. (English transl.: Khanov A.R., Baklanovsky M.V. Process identification based on external features // Proceedings of all-Russian scientific conference on Informatics problems "SPISOK-2012". Saint-Petersburg: SPbSU, 2012. P. 76–78.)</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Баклановский М.В., Ханов А.Р. CODA – новая система компьютерной безопасности: обзор архитектуры системы//Материалы секции 22, XXXVIII Академические чтения по космонавтике. 2014. C. 649–650. (English transl.: Khanov A.R., Baklanovsky M.V. CODA – novel system for computer security: review of system architecture// Proceedings of section 22, XXXVIII Academic readings on Astronautics. Moscow, 2014. P. 649–650.)</mixed-citation><mixed-citation xml:lang="en">Баклановский М.В., Ханов А.Р. CODA – новая система компьютерной безопасности: обзор архитектуры системы//Материалы секции 22, XXXVIII Академические чтения по космонавтике. 2014. C. 649–650. (English transl.: Khanov A.R., Baklanovsky M.V. CODA – novel system for computer security: review of system architecture// Proceedings of section 22, XXXVIII Academic readings on Astronautics. Moscow, 2014. P. 649–650.)</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
