NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows
Protecting running programs from exploits has been the focus of many host-based intrusion detection systems. To this end various formal methods have been developed that either require manual construction of attack signatures or modelling of normal program behavior to detect exploits. In terms of the...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2011
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/1404 http://dx.doi.org/10.1007/978-3-642-29860-8_10 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-2403 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-24032015-12-08T15:55:43Z NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows MILEA, Narcisa Andrea KHOO, Siau-Cheng LO, David POP, Cristi Protecting running programs from exploits has been the focus of many host-based intrusion detection systems. To this end various formal methods have been developed that either require manual construction of attack signatures or modelling of normal program behavior to detect exploits. In terms of the ability to discover new attacks before the infection spreads, the former approach has been found to be lacking in flexibility. Consequently, in this paper, we present an anomaly monitoring system, NORT, that verifies on-the-fly whether running programs comply to their expected normal behavior. The model of normal behavior is based on a rich set of discriminators such as minimal infrequent and maximal frequent iterative patterns of system calls, and relative entropy between distributions of system calls. Experiments run on malware samples have shown that our approach is able to effectively detect a broad range of attacks with very low overheads. 2011-09-01T07:00:00Z text https://ink.library.smu.edu.sg/sis_research/1404 info:doi/10.1007/978-3-642-29860-8_10 http://dx.doi.org/10.1007/978-3-642-29860-8_10 Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Software Engineering |
| spellingShingle |
Software Engineering MILEA, Narcisa Andrea KHOO, Siau-Cheng LO, David POP, Cristi NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows |
| description |
Protecting running programs from exploits has been the focus of many host-based intrusion detection systems. To this end various formal methods have been developed that either require manual construction of attack signatures or modelling of normal program behavior to detect exploits. In terms of the ability to discover new attacks before the infection spreads, the former approach has been found to be lacking in flexibility. Consequently, in this paper, we present an anomaly monitoring system, NORT, that verifies on-the-fly whether running programs comply to their expected normal behavior. The model of normal behavior is based on a rich set of discriminators such as minimal infrequent and maximal frequent iterative patterns of system calls, and relative entropy between distributions of system calls. Experiments run on malware samples have shown that our approach is able to effectively detect a broad range of attacks with very low overheads. |
| format |
text |
| author |
MILEA, Narcisa Andrea KHOO, Siau-Cheng LO, David POP, Cristi |
| author_facet |
MILEA, Narcisa Andrea KHOO, Siau-Cheng LO, David POP, Cristi |
| author_sort |
MILEA, Narcisa Andrea |
| title |
NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows |
| title_short |
NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows |
| title_full |
NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows |
| title_fullStr |
NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows |
| title_full_unstemmed |
NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows |
| title_sort |
nort: runtime anomaly-based monitoring of malicious behavior for windows |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2011 |
| url |
https://ink.library.smu.edu.sg/sis_research/1404 http://dx.doi.org/10.1007/978-3-642-29860-8_10 |
| _version_ |
1770571109319573504 |