Home

Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses

Frank Apap; Andrew Honig; Shlomo Hershkop; Eleazar Eskin; Salvatore Stolfo

Title:
Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses
Author(s):
Apap, Frank
Honig, Andrew
Hershkop, Shlomo
Eskin, Eleazar
Stolfo, Salvatore
Date:
Type:
Articles
Department:
Computer Science
Permanent URL:
Notes:
Recent advances in intrusion detection: 5th international symposium, RAID 2002, Zurich, Switzerland, October 16-18, 2002: proceedings, Lecture Notes in Computer Science, vol. 2516 (New York: Springer-Verlag, 2002), pp. 36-53.
Abstract:
We present a host-based intrusion detection system (IDS) for Microsoft Windows. The core of the system is an algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. The key idea is to first train a model of normal registry behavior on a windows host, and use this model to detect abnormal registry accesses at run-time. The normal model is trained using clean (attack-free) data. At run-time the model is used to check each access to the registry in real time to determine whether or not the behavior is abnormal and (possibly) corresponds to an attack. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms.
Subject(s):
Computer science
Publisher DOI:
http://dx.doi.org/10.1007/3-540-36084-0_3
Item views:
249
Metadata:
text | xml

In Partnership with the Center for Digital Research and Scholarship at Columbia University Libraries/Information Services | Terms of Use