Skip to main content

Advertisement

SpringerLink
Log in

Host-based intrusion detection system for secure human-centric computing

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

With the advancement of information communication technology, people can access many useful services for human-centric computing. Although this advancement increases work efficiency and provides greater convenience to people, advanced security threats such as the Advanced Persistent Threat (APT) attack have been continuously increasing. Technical measures for protecting against an APT attack are desperately needed because APT attacks, such as the 3.20 Cyber Terror and SK Communications hacking incident, have occurred repeatedly and cause considerable damage, socially and economically. Moreover, there are limitations of the existing security devices designed to cope with APT attacks that continue persistently using zero-day malware. For this reason, we propose a malware detection method based on the behavior information of a process on the host PC. Our proposal overcomes the limitations of the existing signature-based intrusion detection systems. First, we defined 39 characteristics for demarcating malware from benign programs and collected 8.7 million characteristic parameter events when malware and benign programs were executed in a virtual-machine environment. Further, when an executable program is running on a host PC, we present the behavior information as an 83-dimensional vector by reconstructing the frequency of each characteristic parameter’s occurrence according to the process ID for the collected characteristic parameter data. It is possible to present more accurate behavior information by including the frequency of characteristic parameter events occurring in child processes. We use a C4.5 decision tree algorithm to detect malware in the database. The results of our proposed method show a 2.0 % false-negative detection rate and a 5.8 % false-positive detection rate.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. NSHC (2013) 3.20 South Korea Cyber Attack, Red Alert Research Report. http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf. Accessed 24 March 2015

  2. Command Five Pty Ltd (2011) SK hack by an advanced persistent threat. http://www.commandfive.com/papers/C5_APT_SKHack.pdf. Accessed 24 March 2015

  3. Tankard C (2011) Persistent threats and how to monitor and deter them. Netw Secur 2011(8):16–19

    Article  Google Scholar 

  4. Symantec (2011) Symantec Internet Security Threat Report. https://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdf. Accessed 24 March 2015

  5. RSA (2011) RSA 2011 cybercrime trends report. Whitepaper

  6. Hu J (2010) Host-based anomaly intrusion detection. In: Handbook of information and communication security. Springer, Berlin, pp 235–255

  7. Ashoor AS, Gore S (2011) Intrusion detection system: case study. In: Proceedings of international conference on advanced materials engineering, vol 15, pp 6–9

  8. NIST, Special Publication 800-30 Revision 1. Guide for conducting risk assessments. http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf. Accessed 24 March 2015

  9. RSA (2011) RSA Security Brief: Mobilizing intelligent security operations for advanced persistent threats. http://www.emc.com/collateral/industry-overview/11313-apt-brf.pdf, February 2011. Accessed 24 March 2015

  10. Son K, Lee T, Won D (2014) Design for Zombie PCs and APT Attack Detection based on traffic analysis. J Korea Inst Inf Secur Cryptol 24(3):491–498

    Article  Google Scholar 

  11. Verizon. Threats on the horizon—the rise of the advanced persistent threat. http://www.fortinet.com/sites/default/files/solutionbrief/threats-on-the-horizon-rise-of-advanced-persistent-threats.pdf. Accessed 24 March 2015

  12. Tandon G (2008) Machine learning for host-based anomaly detection. Dissertation, Florida Institue of Technology

  13. Wang W, Guan XH, Zhang XL (2004) Modeling program behaviors by hidden Markov models for intrusion detection. In: Proceedings of international conference on machine learning and cybernetics, pp 2830–2835

  14. Warrender C, Forrest S, Pearlmutter B (1999) Detecting intrusions using system calls: alternative data models. In: Proceedings of IEEE symposium on security and privacy, pp 133–145

  15. Murtaza SS, Khreich W, Hamou-Lhadj A, Couture M (2013) A host-based anomaly detection approach by representing system calls as states of kernel modules. In: Proceedings of 24th international symposium on software reliability engineering (ISSRE), pp 431–440

  16. Kaur H, Gill N (2013) Host based anomaly detection using fuzzy genetic approach (FGA). Int J Comput Appl 74(20):5–9

    Google Scholar 

  17. Santos I et al (2010) Idea: Opcode-sequence-based malware detection. In: Proceedings of the 2nd international symposium on engineering secure software and systems (ESSoS 2010). Lecture notes in computer science, vol 5965, pp 35–43

  18. Kim HJ, Lee S-W (2013) A hardware-based string matching using state transition compression for deep packet inspection. ETRI J 35(1):154–157. doi:10.4218/etrij.13.0212.0165

    Article  Google Scholar 

  19. Song J, Kim H, Gkelias A (2014) iVisher: real-time detection of caller ID spoofing. ETRI J 36(5):865–875. doi:10.4218/etrij.14.0113.0798

    Article  Google Scholar 

  20. Cho J, Shon T, Choi K, Moon J (2013) Dynamic learning model update of hybrid-classifiers for intrusion detection. J Supercomput 64(2):522–526

    Article  Google Scholar 

  21. Xiong W, Xiong N, Yang LT, Park JH, Hu H, Wang Q (2013) An anomaly-based detection in ubiquitous network using the equilibrium state of the catastrophe theory. J Supercomput 64(2):274–294

    Article  Google Scholar 

  22. Jin H, Xiang G, Zou D, Wu S, Zhao F, Li M, Zheng W (2013) A VMM-based intrusion prevention system in cloud computing environment. J Supercomput 66(3):1133–1151

    Article  Google Scholar 

  23. Cuckoo sandbox. http://www.cuckoosandbox.org. Accessed 24 March 2015

  24. Process monitor. http://technet.microsoft.com/ko-kr/sysinternals/bb896645. Accessed 24 March 2015

  25. Malshare. http://malshare.com/. Accessed 24 March 2015

  26. WEKA Open Sources tools for Data Mining. http://www.cs.waikato.ac.nz/ml/weka/. Accessed 24 March 2015

Download references

Acknowledgments

This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. B0101-15-1293, Cyber targeted attack recognition and trace-back technology based-on long-term historic analysis of multi-source data).

Author information

Authors and Affiliations

  1. Network Security Research Team, Electronics and Telecommunications Research Institute, Daejeon, Republic of Korea

    Daesung Moon & Ikkyun Kim

  2. Department of Information Secuirty Engineering, Korea University of Science and Technology (UST), 217 Gajeong-ro, Yuseong-gu, Daejeon, 305-350, Republic of Korea

    Daesung Moon

  3. Department of Electronics Engineering, Chosun University, 375, Seosuk-dong, Dong-gu, Gwangju, 501-759, Republic of Korea

    Sung Bum Pan

Authors
  1. Daesung Moon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sung Bum Pan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ikkyun Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daesung Moon.

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Moon, D., Pan, S.B. & Kim, I. Host-based intrusion detection system for secure human-centric computing. J Supercomput 72, 2520–2536 (2016). https://doi.org/10.1007/s11227-015-1506-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-015-1506-9

Keywords

Search

Navigation