Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses
نویسندگان
چکیده
We present a host-based intrusion detection system for Microsoft Windows. The core of the system is an algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. The key idea is to first train a model of normal registry behavior for a host and to use this model to detect abnormal registry accesses at run-time. The system trains a normal model using data that contains no attacks and then at run-time checks each access to the registry in real time to determine whether or not the behavior is abnormal and corresponds to an attack. We evaluate the system by training the system on a set of normal registry accesses and then use the system to detect the actions of malicious software. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms.
منابع مشابه
A comparative evaluation of two algorithms for Windows Registry Anomaly Detection
We present a component anomaly detector for a host-based intrusion detection system (IDS) for Microsoft Windows. The core of the detector is a learning-based anomaly detection algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. We present and compare two anomaly detection algorithms for use in our IDS system and evaluate their performance....
متن کاملOne Class Support Vector Machines for Detecting Anomalous Windows Registry Accesses
We present a new Host-based Intrusion Detection System (IDS) that monitors accesses to the Microsoft Windows Registry using Registry Anomaly Detection (RAD). Our system uses a one class Support Vector Machine (OCSVM) to detect anomalous registry behavior by training on a dataset of normal registry accesses. It then uses this model to detect outliers in new (unclassified) data generated from the...
متن کاملMonitoring of Malicious Activity in Software Systems
Because of time and budget constraints, organisations are turning more and more to CommercialOff-The-Shelf (COTS) software rather than developing in-house software. This situation gives rise to great concerns over safety, security, and reliability in critical information systems. This paper presents a research effort to help manage the risk associated with COTS integration through the exploitat...
متن کاملAnomaly Detection in Computer Security and an Application to File System Accesses
We present an overview of anomaly detection used in computer security, and provide a detailed example of a host-based Intrusion Detection System that monitors file systems to detect abnormal accesses. The File Wrapper Anomaly Detector (FWRAP) has two parts, a sensor that audits file systems, and an unsupervised machine learning system that computes normal models of those accesses. FWRAP employs...
متن کاملDetecting Malicious Behaviors of Software through Analysis of API Sequence k-gramsi
Nowadays, software is widely applied to increase accuracy, efficiency, and convenience in various areas in our life. So, it is essential to use software in our recent computing environments. Despite of the valuable applications of software, malicious behaviors caused by vulnerability of software threaten our secure computing environments. So, it is important to identify and detect malicious beh...
متن کامل