Identification of Programs Based on the Behavior

The algorithm of pattern mining from sequences of system calls is described. Patterns are used for process identification or establishing the fact that some sequence of system calls was produced by the process which was used in pattern extraction. Existing algorithms are computationaly more complex or reveals high false positive runs in experiments in comparision with an automaton building algorithm. Our algorithm is less complex and more precise in comparision with the classical N-gram algorithm. Performance tests reveal that our kernel monitor does not significatly slow down the processing of the operating system. After 20 minutes of learning the algorithm is able to identify any thread of any process with 85% precision. Program identification based on behavior is used for anomaly detection of malicious activities in system.

behavior analysis, anomaly detection, pattern mining

1. Andreas Wespi, Marc Dacier, and Herv Debar. Intrusion Detection Using Variable-Length Audit Trail Patterns // Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection. London, UK, UK: Springer-Verlag, 2000. P. 110–129.

2. Anup K. Ghosh, Aaron Schwartzbard. A study in using neural networks for anomaly and misuse detection // Proceedings of the 8th conference on USENIX Security Symposium. Vol. 8. Washington, D.C.: USENIX Association Berkeley, 1999. P. 141–151.

3. D.Lo, S.Khoo Mining patterns and rules for software specification discovery // Proceedings of the VLDB Endowment. VLDB Endowment, 2008. P. 1609–1616.

4. Feng, Henry Hanping and Kolesnikov, Oleg M. and Fogla, Prahlad and Lee, Wenke and Gong, Weibo Anomaly detection using call stack information // Proceedings 19th International Conference on Data Engineering. Washington, DC, USA: IEEE Computer Society, 2003. P. 62–75.

5. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A. A Sense of Self for Unix Processes // Proceeding SP ’96 Proceedings of the 1996 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 1996. P. 120–128.

6. H. Debar, M. Dacier, M. Nassehi, A. Wespi. Fixed vs. variable-length patterns for detecting suspicious process behavior // J. Comput. Secur. IOS Press, 2000. P. 159–181.

7. K. Tan, R. Maxion "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector // SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 2002. P. 188–201.

8. Milea, Narcisa Andreea and Khoo, Siau Cheng and Lo, David and Pop, Cristian NORT: runtime anomaly-based monitoring of malicious behavior for windows // Proceedings of the Second International Conference on Runtime Verification. Berlin, Heidelberg: SpringerVerlag, 2012. P. 115–130.

9. Sekar R., Bendre M., Dhurjati D., Bollineni P. A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors // Proceedings of the 2001 IEEE Symposium on Security and Privacy. Washington, DC, USA: IEEE Computer Society, 2001. P. 144–155.

10. Steven A. Hofmeyr, Stephanie Forrest , Anil Somayaji Intrusion detection using sequences of system calls // Journal of Computer Security. 1998. P. 151–180.

11. Tankard, Colin. Persistent threats and how to monitor and deter them. Network Security, 2011. P. 16–19.

12. Warrender Christina, Forrest Stephanie, Pearlmutter Barak. Detecting Intrusions Using System Calls: Alternative Data Models // IEEE Symposium on security and privacy. Oakland, CA: IEEE Computer Society, 1999. P. 133–145.

13. Одеров Р.С., Тенсин Е.Д. Способы размещения своего кода в ядре ОС Microsoft Windows Server 2008 // Сборник трудов межвузовской научно-практической конференции "Актуальные проблемы организации и технологии защиты информации". Санкт-Петербург: СПбНИУ ИТМО, 2011. C. 100–102. (English transl.: Oderov R.S., Tensin Y.D. Ways of code placing in a kernel of OS Microsoft Windows Server 2008// Proceedings of interuniversity theoretical and practical conference "Actual problems of organization and technology of information protection". Saint-Petersburg: SPbNRU ITMO, 2011. P. 100–102).

14. Ханов А.Р., Баклановский М.В. Идентификация процессов программ по внешним признакам // Материалы всероссийской научной конференции по проблемам информатики "СПИСОК-2012". Санкт-Петербург: СПбГУ, 2012. C. 76–78. (English transl.: Khanov A.R., Baklanovsky M.V. Process identification based on external features // Proceedings of all-Russian scientific conference on Informatics problems "SPISOK-2012". Saint-Petersburg: SPbSU, 2012. P. 76–78.)

15. Баклановский М.В., Ханов А.Р. CODA – новая система компьютерной безопасности: обзор архитектуры системы//Материалы секции 22, XXXVIII Академические чтения по космонавтике. 2014. C. 649–650. (English transl.: Khanov A.R., Baklanovsky M.V. CODA – novel system for computer security: review of system architecture// Proceedings of section 22, XXXVIII Academic readings on Astronautics. Moscow, 2014. P. 649–650.)