Anomaly-Based Intrusion Detection Systems Utilizing System Call Data

reportActive / Technical Report | Accession Number: ADA568124 | Open PDF

Abstract:

This research aims at the enhancement of computer defenses by making them invulnerable to new, mutating and obfuscated malware. It offers a semantic approach to system behavior analysis, centered on the concept of functionality. Functionality is the highest level of the behavior semantics, it is defined by the specific goal of computer operations, not by its software realization. This allows for identifying some classes of malware achieving the same specific malicious operations. Colored Petri nets are proposed as a basis for behavioral signatures representing particular functionalities, both legitimate and malicious. Special techniques are proposed to address three interrelated aspects signature expressiveness, behavioral obfuscation and run-time signature matching efficiency. A signature based approach for detecting malicious functionalities in the system call domain is developed. It has been implemented in a prototype software and tested. It is superior to existing behavior based techniques in addressing behavioral obfuscations and multiple functionality realizations. The experiments results indicate low rate of false positives and negatives, and low execution overhead. Such results suggest that detecting malicious functionality presents a sufficiently dependable and efficient method for distinguishing malware from benign software.

Author(s):
Skormin, Victor A.
Author Organization(s):
STATE UNIV OF NEW YORK AT BINGHAMTON DEPT OF ELECTRICAL AND COMPUTER ENGINEERING
Descriptive Note:
Final rept. 1 Feb 2009-30 Nov 2011
Supplementary Note:
The original document contains color images. DOI: 10.21236/ADA568124
Pagination:
0082

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:
Approved For Public Release
Distribution Statement:
Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR
Identifying Numbers
Report Number(s):
AFRL-OSR-VA-TR-2012-0994
Contract/Grant Number(s):
FA9550-09-1-0067
Task Number(s):
73
Project Number(s):
1077358
Monitor Series:
TR-2012-0994, AFOSR
 Subject Terms
Joint Capability Areas:
JCA_6_Net Centric; JCA_6.4.1_Secure Information Exchange; JCA_7.1.2_Prevent Non-kinetic Attack; JCA_7.1_Prevent; JCA_7_Protection; JCA_6.4.2_Protect Data and Networks; JCA_6.4_Information Assurance; JCA_3_Force Application; JCA_3.2_Engagement; JCA_3.2.2_Non-Kinetic Means; JCA_5_Command and Control; JCA_6.1.3_Switching and Routing; JCA_6.1_Information Transport; JCA_5.3_Planning; JCA_1_Force Support; JCA_1.2.7_Experimentation; JCA_5.3.3_Develop Strategy; JCA_5.3.4_Develop Courses of Action; JCA_5.3.5_Analyze Courses of Action; JCA_5.6.1_Assess Compliance with Guidance; JCA_5.6_Monitor
Communities of Interest:
Cyber
Descriptor(s):
*COMPUTER SECURITY, *INTRUSION DETECTION(COMPUTERS), COMPUTER VIRUSES, PATTERN RECOGNITION, SIGNATURES, STATE OF THE ART, TAXONOMY
Field(s)/Group(s):
Computer Programming and Software, Computer Systems Management and Standards
Keyword(s):
FUNCTIONALITY, BEHAVIOR SEMANTICS, BEHAVIORAL DETECTION, MALWARE, SELF REPLICATION, WUAFRL1077358
Report Date:
2012 Mar 01
Creation Date:
2013 Jan 28