Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Cyber Security Cryptography and Machine Learning

CSCML 2018: Cyber Security Cryptography and Machine Learning pp 243–254Cite as

A Planning Approach to Monitoring Computer Programs’ Behavior

  • Conference paper
  • First Online:

  • 1039 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10879))

Abstract

We describe a novel approach to monitoring high level behaviors using concepts from AI planning. Our goal is to understand what a program is doing based on its system call trace. This ability is particularly important for detecting malware. We approach this problem by building an abstract model of the operating system using the STRIPS planning language, casting system calls as planning operators. Given a system call trace, we simulate the corresponding operators on our model and by observing the properties of the state reached, we learn about the nature of the original program and its behavior. Thus, unlike most statistical detection methods that focus on syntactic features, our approach is semantic in nature. Therefore, it is more robust against obfuscation techniques used by malware that change the outward appearance of the trace but not its effect. We demonstrate the efficacy of our approach by evaluating it on actual system call traces.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    A system call is a mechanism used by a program to request from the operating system services it cannot perform directly, such access to hardware, files, network or memory.

  2. 2.

    A more faithful model will use conditional effects instead, and will also consider their return value.

References

  1. Baker, C.L., Tenenbaum, J.B., Saxe, R.R.: Bayesian models of human action understanding. In: Proceedings of the 18th International Conference on Neural Information Processing Systems, NIPS 2005, pp. 99–106. MIT Press, Cambridge (2005). http://dl.acm.org/citation.cfm?id=2976248.2976261

  2. Beaucamps, P., Gnaedig, I., Marion, J.-Y.: Abstraction-based malware analysis using rewriting and model checking. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 806–823. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_46

    Chapter  Google Scholar 

  3. Canali, D., Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: A quantitative study of accuracy in system call-based malware detection. In: ISSTA 2012, New York, NY, USA, pp. 122–132 (2012). https://doi.org/10.1145/2338965.2336768, http://doi.acm.org/10.1145/2338965.2336768

  4. Canzanese, R., Mancoridis, S., Kam, M.: System call-based detection of malicious processes. In: International Conference on Software Quality, Reliability and Security, QRS 2015, pp. 119–124 (2015)

    Google Scholar 

  5. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, SP 2005, pp. 32–46. IEEE Computer Society, Washington (2005). https://doi.org/10.1109/SP.2005.20

  6. Draios Inc: Sysdig (2012–2016). http://sysdig.com/

  7. Ezzati-Jivan, N., Dagenais, M.R.: A stateful approach to generate synthetic events from kernel traces. Adv. Soft. Eng. 2012, 6:6–6:6 (2012). https://doi.org/10.1155/2012/140368

    Article  Google Scholar 

  8. Firdausi, I., lim, C., Erwin, A., Nugroho, A.S.: Analysis of machine learning techniques used in behavior-based malware detection. In: ACT 2010, pp. 201–203 (2010). https://doi.org/10.1109/ACT.2010.33

  9. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–128, May 1996. https://doi.org/10.1109/SECPRI.1996.502675

  10. Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 318–329. ACM, New York (2004). http://doi.acm.org/10.1145/1030083.1030126

  11. Hykes, S.: Docker (2013–2017). http://docker.com/

  12. Jacob, G., Debar, H., Filiol, E.: Malware behavioral detection by attribute-automata using abstraction from platform and language. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 81–100. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04342-0_5

    Chapter  Google Scholar 

  13. Kim, G., Yi, H., Lee, J., Paek, Y., Yoon, S.: Lstm-based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems. arXiv preprint arXiv:1611.01726 (2016)

  14. Liu, A., Martin, C., Hetherington, T., Matzner, S.: A comparison of system call feature representations for insider threat detection. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 340–347, June 2005. https://doi.org/10.1109/IAW.2005.1495972

  15. Long, D.: VAL: The plan validation system (2014). https://github.com/KCL-Planning/VAL

  16. Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87403-4_5

    Chapter  Google Scholar 

  17. Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1), 61–93 (2006). https://doi.org/10.1145/1127345.1127348

    Article  Google Scholar 

  18. Poulose Jacob, K., Surekha, M.V.: Anomaly detection using system call sequence sets. J. Software 2(6) (2007)

    Google Scholar 

  19. Ramírez, M., Geffner, H.: Plan recognition as planning. In: IJCAI 2009, pp. 1778–1783 (2009). http://ijcai.org/Proceedings/09/Papers/296.pdf

  20. Rosenberg, I., Gudes, E.: Bypassing system calls-based intrusion detection systems. Concurrency Comput. Pract. Experience 29(16) (2017). https://doi.org/10.1002/cpe.4023

    Article  Google Scholar 

  21. Sukthankar, G., Geib, C., Bui, H., Pynadath, D., Goldman, R.P. (eds.): Plan, Activity, and Intent Recognition. Elsevier (2014)

    Google Scholar 

  22. Tandon, G., Chan, P.K.: On the learning of system call attributes for host-based anomaly detection. Int. J. AI Tools 15(06), 875–892 (2006). https://doi.org/10.1142/S0218213006003028

    Article  Google Scholar 

  23. Tokhtabayev, A., Skormin, V., Dolgikh, A.: Dynamic, resilient detection of complex malicious functionalities in the system call domain. In: MILCOM 2010, pp. 1349–1356, October 2010. https://doi.org/10.1109/MILCOM.2010.5680136

  24. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344), pp. 133–145 (1999). https://doi.org/10.1109/SECPRI.1999.766910

  25. Wressnegger, C., Schwenk, G., Arp, D., Rieck, K.: A close look on n-grams in intrusion detection: Anomaly detection vs. classification. In: Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, AISec 2013, pp. 67–76. ACM, New York (2013). https://doi.org/10.1145/2517312.2517316, http://doi.acm.org/10.1145/2517312.2517316

  26. Xu, J., Shelton, C.R.: Intrusion detection using continuous time Bayesian networks. JAIR 39, 745–774 (2010)

    MathSciNet  MATH  Google Scholar 

  27. You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: BWCCA 2010, pp. 297–300 (2010). https://doi.org/10.1109/BWCCA.2010.85

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Ben Gurion University, Beersheba, Israel

    Alexandre Cukier & Ronen I. Brafman

  2. PayPal, Tel Aviv, Israel

    Yotam Perkal & David Tolpin

Authors
  1. Alexandre Cukier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ronen I. Brafman
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yotam Perkal
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. David Tolpin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexandre Cukier .

Editor information

Editors and Affiliations

  1. Ben-Gurion University of the Negev, Beer Sheva, Israel

    Itai Dinur

  2. Ben-Gurion University of the Negev, Beer Sheva, Israel

    Shlomi Dolev

  3. Tata Consultancy Services (India), Chennai, Tamil Nadu, India

    Sachin Lodha

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cukier, A., Brafman, R.I., Perkal, Y., Tolpin, D. (2018). A Planning Approach to Monitoring Computer Programs’ Behavior. In: Dinur, I., Dolev, S., Lodha, S. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2018. Lecture Notes in Computer Science(), vol 10879. Springer, Cham. https://doi.org/10.1007/978-3-319-94147-9_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-94147-9_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-94146-2

  • Online ISBN: 978-3-319-94147-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation