Skip to main content
SpringerLink
Log in

Detecting Anomalous Application Behaviors Using a System Call Clustering Method over Critical Resources

  • Conference paper
Advances in Network Security and Applications (CNSA 2011)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 196))

Included in the following conference series:

Abstract

Malware attacks which focus on exploiting an application to launch the payload have become major security threat. We present the methodology and algorithm which is able to detect anomaly in application behavior and prevent such type of attacks. Our approach is to represent the normal behavior of an application, detect deviations from this normal behavior and prevent them. We represent normal behavior using system calls made over critical resources by clustering of these system calls and then monitor the behavior of applications for any deviations from the normal behavior, by means of an enforcement algorithm. Any mismatch from the normal behavior indicates an anomaly. We provide a description of our approach. We have implemented and tested the proposed approach and the results are encouraging. As compared to previous research in this direction, we implement on Windows OS instead of Linux OS and use minifilter and registry callback techniques instead of raw system call interception which is prohibited in latest operating system versions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Idike, N., Mathur, A.P.: A Survey of Malware Detection Techniques. Technical Report, Purdue University (2007)

    Google Scholar 

  2. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusion Using System Calls: Alternative Data Models. In: IEEE Computer Society Symposium on Research in Security and Privacy (1998)

    Google Scholar 

  3. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for UNIX Processes. In: IEEE Symposium on Security and Privacy (1996)

    Google Scholar 

  4. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security (1998)

    Google Scholar 

  5. Mazeroff, G., Cerqueira, V.D., Gregor, J., Thomason, M.G.: Probabilistic Trees and Automata for Application Behavior Modeling. In: ACM Southeast Regional Conference Proceedings (2003)

    Google Scholar 

  6. Parampalli, C., Sekar, R., Johnson, R.: A Practical Mimicry Attack Against Powerful System-Call Monitors. In: ACM Symposium on Information, Computer and Information Security (2008)

    Google Scholar 

  7. Sekar, R., Cai, Y., Segal, M.: A Specification-Based Approach for Building Survivable Systems. In: Proceedings of the NISSC (1998)

    Google Scholar 

  8. Sekar, R.: On Preventing Intrusions by Process Behavior Monitoring. In: USENIX Intrusion Detection Workshop (1999)

    Google Scholar 

  9. Sekar, R., Venkatakrishnan, V.N., Basu, S., Bhatkar, S., Daniel, DuVarney, C.: Model-Carrying Code: A Practical Approach for Safe Execution of Untrusted Applications. In: ACM Symposium on Operating system principles (2003)

    Google Scholar 

  10. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  11. Seifert, C., Steenson, R., Welch, I., Komisarczuk, P., Endicott-Popovsky, B.: Capture A behavioral analysis tool for applications and documents. In: Digital Forensics Research Conference (2007)

    Google Scholar 

  12. Rieck, K., Holz, T., Willems, C., Dussel, P., Laskov, P.: Learning and Classification of Malware Behavior. In: Conference on Detection of Intrusions and Malware and Vulnerability Assessment (2008)

    Google Scholar 

  13. Wagner, D., Soto, P.: Mimicry Attacks on Host Based Intrusion Detection Systems. In: ACM Conference on Computer and Communication Security (2002)

    Google Scholar 

  14. Xperf: http://msdn.microsoft.com/en-us/performance/cc825801.aspx

  15. Solomon, R.: Windows Internals: Kernel Patch Protection. Microsoft Press, Redmond (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Development of Advanced Computing, Hyderabad, India

    Grandhi Jyostna, Pareek Himanshu & P. R. L. Eswari

Authors
  1. Grandhi Jyostna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pareek Himanshu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. P. R. L. Eswari
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Southeastern Louisiana University, 70402, Hammond, LA, USA

    David C. Wyld

  2. Chair of Systems and Computer Networks, Wroclaw University of Technology, Wybrzeze Wyspianskiego 27, 50-370, Wroclaw, Poland

    Michal Wozniak

  3. University of Calcutta, Calcutta, India

    Nabendu Chaki

  4. Jackson State University, 39217, Jackson, MS, USA

    Natarajan Meghanathan

  5. Wireilla Net Solutions PTY Ltd, Melbourne, Victoria, Australia

    Dhinaharan Nagamalai

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Jyostna, G., Himanshu, P., Eswari, P.R.L. (2011). Detecting Anomalous Application Behaviors Using a System Call Clustering Method over Critical Resources. In: Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D. (eds) Advances in Network Security and Applications. CNSA 2011. Communications in Computer and Information Science, vol 196. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22540-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22540-6_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22539-0

  • Online ISBN: 978-3-642-22540-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation