Skip to main content
SpringerLink
Log in
Book cover

International Conference on Informatics Engineering and Information Science

ICIEIS 2011: Informatics Engineering and Information Science pp 383–394Cite as

Detecting Unknown Anomalous Program Behavior Using API System Calls

  • Conference paper

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 254))

Abstract

This paper presents the detection techniques of anomalous programs based on the analysis of their system call traces. We collect the API calls for the tested executable programs from Microsoft detour system and extract the features for our classification task using the previously established n-gram technique. We propose three different feature extraction approaches in this paper. These are frequency-based, time-based and a hybrid approach which actually combines the first two approaches. We use the well-known classifier algorithms in our experiments using WEKA interface to classify the malicious programs from the benign programs. Our empirical evidence demonstrates that the proposed feature extraction approaches can detect malicious programs over 88% which is quite promising for the contemporary similar research.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Cárdenas, A.A., Amin, S., Sastry, S.: Research Challenges for the Security of Control Systems. In: Proc. of the 3rd USENIX workshop on Hot Topics in Security, Associated with the 17th USENIX Security Symposium, San Jose, CA, USA (2008)

    Google Scholar 

  2. Protecting Critical Infrastructure SCADA Network Security Monitoring. In: Tenable Network Security Inc. (2008)

    Google Scholar 

  3. Andy, G.: America’s Hackable Backbone. Forbes (2007)

    Google Scholar 

  4. Ye, Y., Wang, D., Li, T., Ye, D., Jiang, Q.: An Intelligent PE-Malware Detection System Based on Association Mining. J. Comput. Virol. 4, 323–334 (2008)

    Article  Google Scholar 

  5. Symantec Internet Security Threat Report Trends for 2008. vol. xiv (2009)

    Google Scholar 

  6. Forrest, S., Hofmeyr, S.A., Somayaji, A.: The Evolution of System-Call Monitoring. In: Proc. of the 24th Annual Computer Security Applications Conference, pp. 418–430 (2008)

    Google Scholar 

  7. Forrest, S., Nguyen, T.V., Weimer, W., Goues, C.L.: A Genetic Programming Approach to Automated Software Repair. In: Proc. of the Genetic and Evolutionary Computation Conference, pp. 947–954 (2009)

    Google Scholar 

  8. Kosoresow, A.P., Hofmeyr, S.A.: Intrusion Detection via System Call Traces. IEEE Software 14(5), 35–42 (1997)

    Article  Google Scholar 

  9. Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)

    Article  Google Scholar 

  10. Sekar, R., Uppuluri, P.: Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications. In: Proc. of the 8th Conference on USENIX Security Symposium (1999)

    Google Scholar 

  11. Lane, T., Brodley, C.E.: Data Reduction Techniques for Instance-Based Learning of Human/Computer Interface Data. In: Proc. of the 17th International Conference on Machine Learning, pp. 519–526 (2000)

    Google Scholar 

  12. Endler, D.: Intrusion Detection Applying Machine Learning to Solaris Audit Data. In: Proc. of the 14th Annual Computer Security Applications Conference, p. 268 (1998)

    Google Scholar 

  13. Lee, T., Mody, J.J.: Behavioral Classification. In: Proc. of EICAR Conference (2006)

    Google Scholar 

  14. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware. In: Proc. of 10th International Conference on Recent Advances in Intrusion Detection, pp. 178–197 (2007)

    Google Scholar 

  15. Jiang, X., Zhu, X.: vEye: Behavioral Footprinting for Self-Propagating Worm Detection and Profiling. Knowl. Inf. Syst. 18(2), 231–262 (2009)

    Article  Google Scholar 

  16. Sung, A., Xu, J., Chavez, P., Mukkamala, S.: Static Analyzer of Vicious Executables (SAVE). In: Proc. of the 20th Annual Computer Security Application Conference, pp. 326–334 (2004)

    Google Scholar 

  17. Ye, Y., Wang, D., Li, T., Ye, D.: IMDS: Intelligent Malware Detection System. In: Proc. ACM Int. Conf. Knowl. Discovery and Data Mining, pp. 1043–1047 (2007)

    Google Scholar 

  18. Abou-Assaleh, T., Cercone, N., Keselj, V., Sweidan, R.: N-Gram-Based Detection of New Malicious Code. In: Proc. of the 28th Annual International Computer Software and Applications Conference-Workshops and Fast Abstracts, vol. 2, pp. 41–42. IEEE Computer Society, Washington, DC, USA (2004)

    Google Scholar 

  19. Ahmed, F., Hameed, H., Shafiq, M.Z., Farooq, M.: Using Spatio-Temporal Information in API Calls with Machine Learning Algorithms for Malware Detection. In: Proc. of the 2nd ACM Workshop on Security and Artificial Intelligence, pp. 55–62. ACM, New York (2009)

    Chapter  Google Scholar 

  20. Moskovitch, R., Stopel, D., Feher, C., Nissim, N., Elovici, Y.: Unknown Malcode Detection via Text Categorization and the Imbalance Problem. In: IEEE International Conference on Intelligence and Security Informatics, pp. 156–161 (2008)

    Google Scholar 

  21. Park, Y., Reeves, D., Mulukutla, V., Sundaravel, B.: Fast Malware Classification by Automated Behavioral Graph Matching. In: Proc. of the 6th Annual Workshop on Cyber Security and Information Intelligence Research, pp. 1–4. ACM, New York (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Deakin University, Melbourne, Australia

    Md. Rafiqul Islam & Morshed U. Chowdhury

  2. Swinburne University of Technology, Melbourne, Australia

    Md. Saiful Islam

Authors
  1. Md. Rafiqul Islam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Md. Saiful Islam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Morshed U. Chowdhury
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Advanced Informatics School (UTM AIS), UTM International Campus, 54100, Kuala Lumpur, Malaysia

    Azizah Abd Manaf , Shamsul Sahibuddin , Rabiah Ahmad  & Salwani Mohd Daud , ,  & 

  2. Information Systems Department, King Saud University, Riyadh, Saudi Arabia

    Eyas El-Qawasmeh

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Rafiqul Islam, M., Saiful Islam, M., U. Chowdhury, M. (2011). Detecting Unknown Anomalous Program Behavior Using API System Calls. In: Abd Manaf, A., Sahibuddin, S., Ahmad, R., Mohd Daud, S., El-Qawasmeh, E. (eds) Informatics Engineering and Information Science. ICIEIS 2011. Communications in Computer and Information Science, vol 254. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25483-3_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25483-3_31

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25482-6

  • Online ISBN: 978-3-642-25483-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation