research-article

Markov models for application behavior analysis

Author:
Geoffrey Mazeroff

University of Tennessee, Knoxville, TN

University of Tennessee, Knoxville, TN
View Profile

CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges aheadMay 2008Article No.: 38Pages 1–2https://doi.org/10.1145/1413140.1413184

Published:12 May 2008Publication History

CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead

Pages 1–2

ABSTRACT

Given the pervasive nature of malicious mobile code (viruses, worms, etc.), developing statistical/structural models of application execution is of considerable importance in the domain of cyber security. This work describes the inference of Markov models based on system call sequences realized by Windows XP applications: discrete-parameter Markov chains for the sequential nature of the system calls, and continuous-parameter Markov chains for the inter-arrival times between system calls. Both types of Markov chains are inferred using benign application data, and thus serve as models of benign application behavior. The goal is to classify new, unobserved system call sequences essentially as "self" or "non-self" based on the amount of deviation such sequences exhibit from the inferred models. The techniques of inference and classification can be applied to cyber security by detecting anomalous application behavior, exhibited by either malicious mobile code or unvetted benign applications.

Supplemental Material

Available for Download

pdf

a38-mazeroff-slides.pdf (773.2 KB)

Slide presentation for "Markov models for application behavior analysis"

References

G. Mazeroff, J. Gregor, M. Thomason, and R. Ford. "Probabilistic suffix models for API sequence analysis of Windows XP applications," Pattern Recognition, 41: 90--101, 2007. Google ScholarDigital Library
Process Monitor. http://technet.microsoft.com/enus/sysinternals/bb896645.aspxGoogle Scholar

Index Terms

Markov models for application behavior analysis
1. Computing methodologies
  1. Modeling and simulation
    1. Model development and analysis
2. Mathematics of computing
  1. Probability and statistics

Recommendations

Network anomaly detection by continuous hidden markov models: An evolutionary programming approach

Information security is an important and growing need. The most common schemes used for detection systems include pattern-or signature-based and anomaly-based. Anomaly-based schemes use a set of metrics, which outline the normal system behavior and any ...
Read More
Probabilistic suffix models for API sequence analysis of Windows XP applications

Given the pervasive nature of malicious mobile code (viruses, worms, etc.), developing statistical/structural models of code execution is of considerable importance. We investigate using probabilistic suffix trees (PSTs) and associated suffix automata (...
Read More
The partially observable hidden Markov model and its application to keystroke dynamics

The partially observable hidden Markov model (POHMM) is introduced.In keystroke dynamics, the key names partially reveal typist behavior.The POHMM hidden state is conditioned on an independent Markov chain.The marginalized POHMM is equivalent to the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead
May 2008
470 pages
ISBN:9781605580982
DOI:10.1145/1413140
Editors:
Frederick Sheldon,
Axel Krings,
Robert Abercrombie,
Ali Mili
Copyright © 2008 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 12 May 2008
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Markov chain
anomaly detection
windows XP
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 298
  Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Markov models for application behavior analysis

CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead

ABSTRACT

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

Network anomaly detection by continuous hidden markov models: An evolutionary programming approach

Probabilistic suffix models for API sequence analysis of Windows XP applications

The partially observable hidden Markov model and its application to keystroke dynamics