Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses
Frank Apap; Andrew Honig; Shlomo Hershkop; Eleazar Eskin; Salvatore Stolfo
- Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses
- Computer Science
- Permanent URL:
- Recent advances in intrusion detection: 5th international symposium, RAID 2002, Zurich, Switzerland, October 16-18, 2002: proceedings, Lecture Notes in Computer Science, vol. 2516 (New York: Springer-Verlag, 2002), pp. 36-53.
- We present a host-based intrusion detection system (IDS) for Microsoft Windows. The core of the system is an algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. The key idea is to first train a model of normal registry behavior on a windows host, and use this model to detect abnormal registry accesses at run-time. The normal model is trained using clean (attack-free) data. At run-time the model is used to check each access to the registry in real time to determine whether or not the behavior is abnormal and (possibly) corresponds to an attack. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms.
- Computer science
- Item views: