Coloured Petri nets (2nd ed.): basic concepts, analysis methods and practical use: volume 1
Coloured Petri nets (2nd ed.): basic concepts, analysis methods and practical use: volume 1
On the Limits of Information Flow Techniques for Malware Analysis and Containment
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Effective and efficient malware detection at the end host
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
AccessMiner: using system-centric models for malware protection
Proceedings of the 17th ACM conference on Computer and communications security
Expressive, efficient and obfuscation resilient behavior based IDS
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
| Hi-index | 0.00 |
Functionality is the highest semantic level of the software behavior pyramid that reflects goals of the software rather than its specific implementation. Detection of malicious functionalities presents an effective way to detect malware in behavior-based IDS. A technology for mining system call data, discussed herein, results in the detection of functionalities representing operation of legitimate software within a closed network environment. The set of such functionalities combined with the frequencies of their execution constitutes a normalcy profile typical for this environment. Detection of deviations from this normalcy profile, new functionalities and/or changes in the execution frequencies, provides evidence of abnormal activity in the network caused by malware. This approach could be especially valuable for the detection of targeted zero-day attacks. The paper presents the results of the implementation and testing of the described technology on the computer network testbed.