Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses
We present a host-based intrusion detection system (IDS) for Microsoft Windows. The core of the system is an algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. The key idea is to first train a model of normal registry behavior on a windows host, and use this model to detect abnormal registry accesses at run-time. The normal model is trained using clean (attack-free) data. At run-time the model is used to check each access to the registry in real time to determine whether or not the behavior is abnormal and (possibly) corresponds to an attack. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms.
- rad-raid02.pdf application/pdf 248 KB Download File
Also Published In
More About This Work
- Academic Units
- Computer Science
- Published Here
- April 30, 2010
Recent advances in intrusion detection: 5th international symposium, RAID 2002, Zurich, Switzerland, October 16-18, 2002: proceedings, Lecture Notes in Computer Science, vol. 2516 (New York: Springer-Verlag, 2002), pp. 36-53.