Conference item
Detecting disguised processes using Application-Behaviour Profiling
- Abstract:
- In order to avoid detection, malware can disguise itself as a legitimate program or hijack system processes to reach its goals. Commonly used signature-based Intrusion Detection Systems (IDS) struggle to distinguish between these processes and are thus only of limited use to detect such attacks. They also have the shortcoming that they need to be updated frequently to possess the latest malware definitions. This makes them inherently prone to missing novel attack techniques. Misuse detection IDSs however overcome this problem by maintaining a ground truth of normal application behavior while reporting deviations as anomalies. In our approach, we try to accomplish this by observing a process’ memory consumption. This is for two reasons: We expect the readings to be less volatile in comparison to for instance network operations. Second, by breaking the problem down, we are able to investigate thoroughly while still laying the foundations for future expansion. We use the observations from a given host to train a machine learning algorithm. After an initial learning phase, we evaluate the model with readings from the application it has been trained on and other applications in order to assess its quality. Our results indicate that the efficacy of this method is highly dependent on parametrizing the machine learning algorithm appropriately. A large variance in accuracy with only slightly altered inputs confirms this suggestion. We finish with a discussion on deploying such an IDS at scale in a realistic scenario.
- Publication status:
- Published
- Peer review status:
- Peer reviewed
Actions
Access Document
- Files:
-
-
(Preview, Accepted manuscript, pdf, 1.1MB, Terms of use)
-
- Publisher copy:
- 10.1109/THS.2017.7943508
Authors
- Publisher:
- Institute of Electrical and Electronics Engineers
- Host title:
- HST'17: 16th annual IEEE Symposium on Technologies for Homeland Security
- Journal:
- IEEE-HST 2017 More from this journal
- Publication date:
- 2017-06-08
- Acceptance date:
- 2017-01-18
- DOI:
- Pubs id:
-
pubs:672002
- UUID:
-
uuid:182a0454-a300-4d0e-b696-0cfde33c3569
- Local pid:
-
pubs:672002
- Source identifiers:
-
672002
- Deposit date:
-
2017-02-12
- ARK identifier:
Terms of use
- Copyright holder:
- Institute of Electrical and Electronics Engineers
- Copyright date:
- 2017
- Notes:
- © 2017 IEEE. This article was presented at HST'17: 16th annual IEEE Symposium on Technologies for Homeland Security (25-26 April 2017: Boston, MA, USA). This is the accepted manuscript, the final version is available online from IEEE at [10.1109/THS.2017.7943508]
If you are the owner of this record, you can report an update to it here: Report update to this record