Skip to main content
SpringerLink
Log in

NORT: Runtime Anomaly-Based Monitoring of Malicious Behavior for Windows

  • Conference paper
Runtime Verification (RV 2011)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7186))

Included in the following conference series:

Abstract

Protecting running programs from exploits has been the focus of many host-based intrusion detection systems. To this end various formal methods have been developed that either require manual construction of attack signatures or modelling of normal program behavior to detect exploits. In terms of the ability to discover new attacks before the infection spreads, the former approach has been found to be lacking in flexibility. Consequently, in this paper, we present an anomaly monitoring system, NORT, that verifies on-the-fly whether running programs comply to their expected normal behavior. The model of normal behavior is based on a rich set of discriminators such as minimal infrequent and maximal frequent iterative patterns of system calls, and relative entropy between distributions of system calls. Experiments run on malware samples have shown that our approach is able to effectively detect a broad range of attacks with very low overheads.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Operation aurora (2010), http://en.wikipedia.org/wiki/Operation_Aurora#Response_and_aftermath

  2. Agency, N.S.: Security-enhanced linux (2008), http://www.nsa.gov/selinux

  3. Broder, A., Mitzenmacher, M.: Network applications of bloom filters: A survey. Internet Mathematics (2004)

    Google Scholar 

  4. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Tech. rep., University of Wisconsin, Madison (2003)

    Google Scholar 

  5. Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: India Software Engineering Conference. ACM (2008)

    Google Scholar 

  6. Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proc. IEEE S&P (2003)

    Google Scholar 

  7. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proc. IEEE S&P (1996)

    Google Scholar 

  8. Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: Proc. USENIX Security Symposium (2002)

    Google Scholar 

  9. Gopalakrishna, R., Spafford, E.H., Vitek, J.: Efficient intrusion detection using automaton inlining. In: Proc. IEEE S&P (2005)

    Google Scholar 

  10. Kaspersky: Adobe: the number one target for hackers in the first quarter (2010), http://www.kaspersky.com/news?id=207576094

  11. Kumar, S., Spafford, E.: A pattern matching model for misuse intrusion detection. In: Proc. National Computer Security Conference (1994)

    Google Scholar 

  12. Lee, C., Chen, F., Rosu, G.: Mining parametric specifications. In: Proc. ICSE (2011)

    Google Scholar 

  13. Lee, W., Stolfo, S.J.: Data mining approaches for intrusion detection. In: Proc. USENIX Security Symposium (1998)

    Google Scholar 

  14. Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proc. IEEE S&P (2001)

    Google Scholar 

  15. Lo, D., Khoo, S.C., Liu, C.: Efficient mining of iterative patterns for software specification discovery. In: Proc. ACM SIGKDD (2007)

    Google Scholar 

  16. Nucci, A., Bannerman, S.: Controlled chaos. IEEE Spectrum (December 2007), http://www.spectrum.ieee.org/dec07/5722

  17. Safyallah, H., Sartipi, K.: Dynamic analysis of software systems using execution pattern mining. In: Proc. IEEE ICPC (2006)

    Google Scholar 

  18. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proc. IEEE S&P (2001)

    Google Scholar 

  19. Sophos: Top 10 malware (June 2008), http://www.sophos.com/security/top-10/

  20. Szathmary, L., Napoli, A., Valtchev, P.: Towards rare itemset mining. In: Proc. IEEE International Conference on Tools with Artificial Intelligence (2007)

    Google Scholar 

  21. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proc. S&P (2001)

    Google Scholar 

  22. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proc. CCS (2002)

    Google Scholar 

  23. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: Proc. IEEE S&P (1999)

    Google Scholar 

  24. Wespi, A., Dacier, M., Debar, H.: Intrusion Detection Using Variable-Length Audit Trail Patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 110–129. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. National University of Singapore, Singapore

    Narcisa Andreea Milea & Siau Cheng Khoo

  2. Singapore Management University, Singapore

    David Lo

  3. Microsoft, Redmond, USA

    Cristian Pop

Authors
  1. Narcisa Andreea Milea
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Siau Cheng Khoo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Lo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cristian Pop
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Electrical and Computer Engineering, The University of Texas at Austin, 1 University Station C5000, 78712-0240, Austin, TX, USA

    Sarfraz Khurshid

  2. University of California, 581 Soda Hall #1776, 94720-1776, Berkeley, CA, USA

    Koushik Sen

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Milea, N.A., Khoo, S.C., Lo, D., Pop, C. (2012). NORT: Runtime Anomaly-Based Monitoring of Malicious Behavior for Windows. In: Khurshid, S., Sen, K. (eds) Runtime Verification. RV 2011. Lecture Notes in Computer Science, vol 7186. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29860-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29860-8_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29859-2

  • Online ISBN: 978-3-642-29860-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation