Skip to main content
Article
NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows
Runtime Verification: Second International Conference, RV 2011, San Francisco, CA, USA, September 27-30, 2011, Revised Selected Papers
  • Narcisa Andrea MILEA, National University of Singapore
  • Siau-Cheng KHOO, National University of Singapore
  • David LO, Singapore Management University
  • Cristi POP, Microsoft, Redmond
Publication Type
Conference Proceeding Article
Publication Date
9-2011
Abstract
Protecting running programs from exploits has been the focus of many host-based intrusion detection systems. To this end various formal methods have been developed that either require manual construction of attack signatures or modelling of normal program behavior to detect exploits. In terms of the ability to discover new attacks before the infection spreads, the former approach has been found to be lacking in flexibility. Consequently, in this paper, we present an anomaly monitoring system, NORT, that verifies on-the-fly whether running programs comply to their expected normal behavior. The model of normal behavior is based on a rich set of discriminators such as minimal infrequent and maximal frequent iterative patterns of system calls, and relative entropy between distributions of system calls. Experiments run on malware samples have shown that our approach is able to effectively detect a broad range of attacks with very low overheads.
ISBN
9783642298592
Identifier
10.1007/978-3-642-29860-8_10
Publisher
Springer Verlag
City or Country
Berlin
Additional URL
http://dx.doi.org/10.1007/978-3-642-29860-8_10
Citation Information
Narcisa Andrea MILEA, Siau-Cheng KHOO, David LO and Cristi POP. "NORT: Runtime Anomaly-based Monitoring of Malicious Behavior for Windows" Runtime Verification: Second International Conference, RV 2011, San Francisco, CA, USA, September 27-30, 2011, Revised Selected Papers Vol. 7186 (2011) p. 115 - 130
Available at: http://works.bepress.com/david_lo/71/