A Comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection

Stolfo, Salvatore; Apap, Frank; Eskin, Eleazar; Heller, Katherine; Hershkop, Shlomo; Honig, Andrew; Svore, Krysta

We present a component anomaly detector for a host-based intrusion detection system (IDS) for Microsoft Windows. The core of the detector is a learning-based anomaly detection algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. We present and compare two anomaly detection algorithms for use in our IDS system and evaluate their performance. One algorithm called PAD, for Probabilistic Anomaly Detection, is based upon a probability density estimation while the second uses the Support Vector Machine framework. The key idea behind the detector is to first train a model of normal Registry behavior on a Windows host, even when noise may be present in the training data, and use this model to detect abnormal Registry accesses. At run-time the model is used to check each access to the Registry in real-time to determine whether or not the behavior is abnormal and possibly corresponds to an attack. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms. We show that the probabilistic anomaly detection algorithm exhibits better performance in accuracy and in computational complexity over the support vector machine implementation under three different kernel functions.



More About This Work

Academic Units
Computer Science
Published Here
April 30, 2010


Journal of Computer Security, vol. 13, no. 4 (2005), pp. 659-693.