Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses

Apap, Frank; Honig, Andrew; Hershkop, Shlomo; Eskin, Eleazar; Stolfo, Salvatore

We present a host-based intrusion detection system (IDS) for Microsoft Windows. The core of the system is an algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. The key idea is to first train a model of normal registry behavior on a windows host, and use this model to detect abnormal registry accesses at run-time. The normal model is trained using clean (attack-free) data. At run-time the model is used to check each access to the registry in real time to determine whether or not the behavior is abnormal and (possibly) corresponds to an attack. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms.



More About This Work

Academic Units
Computer Science
Published Here
April 30, 2010


Recent advances in intrusion detection: 5th international symposium, RAID 2002, Zurich, Switzerland, October 16-18, 2002: proceedings, Lecture Notes in Computer Science, vol. 2516 (New York: Springer-Verlag, 2002), pp. 36-53.