ABSTRACT
Given the pervasive nature of malicious mobile code (viruses, worms, etc.), developing statistical/structural models of application execution is of considerable importance in the domain of cyber security. This work describes the inference of Markov models based on system call sequences realized by Windows XP applications: discrete-parameter Markov chains for the sequential nature of the system calls, and continuous-parameter Markov chains for the inter-arrival times between system calls. Both types of Markov chains are inferred using benign application data, and thus serve as models of benign application behavior. The goal is to classify new, unobserved system call sequences essentially as "self" or "non-self" based on the amount of deviation such sequences exhibit from the inferred models. The techniques of inference and classification can be applied to cyber security by detecting anomalous application behavior, exhibited by either malicious mobile code or unvetted benign applications.
Supplemental Material
Available for Download
Slide presentation for "Markov models for application behavior analysis"
- G. Mazeroff, J. Gregor, M. Thomason, and R. Ford. "Probabilistic suffix models for API sequence analysis of Windows XP applications," Pattern Recognition, 41: 90--101, 2007. Google ScholarDigital Library
- Process Monitor. http://technet.microsoft.com/enus/sysinternals/bb896645.aspxGoogle Scholar
Index Terms
- Markov models for application behavior analysis
Recommendations
Network anomaly detection by continuous hidden markov models: An evolutionary programming approach
Information security is an important and growing need. The most common schemes used for detection systems include pattern-or signature-based and anomaly-based. Anomaly-based schemes use a set of metrics, which outline the normal system behavior and any ...
Probabilistic suffix models for API sequence analysis of Windows XP applications
Given the pervasive nature of malicious mobile code (viruses, worms, etc.), developing statistical/structural models of code execution is of considerable importance. We investigate using probabilistic suffix trees (PSTs) and associated suffix automata (...
The partially observable hidden Markov model and its application to keystroke dynamics
The partially observable hidden Markov model (POHMM) is introduced.In keystroke dynamics, the key names partially reveal typist behavior.The POHMM hidden state is conditioned on an independent Markov chain.The marginalized POHMM is equivalent to the ...
Comments