SystemService監視によるWindows向け異常検知システム機構  [in Japanese] Detecting Anomalies on Windows by Monitoring System Services  [in Japanese]

Access this Article

Search this Article

Author(s)

    • 島本 大輔 SHIMAMOTO DAISUKE
    • 東京大学大学院情報理工学系研究科コンピュータ科学専攻 Department of Computer Science, Graduate School of Information Science and Technology, the University of Tokyo
    • 米澤 明憲 YONEZAWA AKINORI
    • 東京大学大学院情報理工学系研究科コンピュータ科学専攻 Department of Computer Science, Graduate School of Information Science and Technology, the University of Tokyo

Abstract

近年,不正なプログラムによる攻撃はきわめて高度化している.多相型ウィルスや新種の攻撃コードなどによるいくつかの攻撃は,データのバイト列を攻撃のシグネチャと単純にマッチングする方式によるセキュリティシステムでは検知できないことがある.このような攻撃を検知するための有効な対策の1つに,プログラムの動作の監視による異常検知がある.本論文では,WindowsのSystem Serviceの監視による異常検知方式を提案する.提案方式では,まず,アプリケーションの正常な動作をSystem Service呼び出し動作のプロファイルから特徴化する.具体的には,System Service呼び出しのN-gram集合を生成し,それを正常な動作を表現するデータベースとして用いる.そして,監視対象のプログラムの動作をそのデータベースと比較することにより異常を検知する.我々は提案方式に基づく異常検知システムを実装し,現実的なアプリケーションを用いて実験を行った.実験では,特徴化に用いられるデータベースのサイズや異常を検知する能力について評価を行った.In recent years, attacks by malicious programs are becoming highly sophisticated. Some new exploits and polymorphic viruses can evade the detection of security systems which depend on simple matching of byte sequences. An effective countermeasure against this kind of attacks is anomaly detection by monitoring the behavior of programs. In this paper, we propose an anomaly detection method that monitors System Services on Windows operating systems. The proposed method first characterizes the normal behavior of an application by using a profile of System Service calls. Specifically, it creates N-grams of System Service calls and utilizes it as a data base representing the normal behavior. Then, it detects anomalies by comparing the behavior of monitored programs with the database. We implemented an anomaly detection system based on the proposed method and conducted experiments using realistic applications. Through the experiments, we have evaluated the size of database for characterization and the ability to detect anomalies.

In recent years, attacks by malicious programs are becoming highly sophisticated. Some new exploits and polymorphic viruses can evade the detection of security systems which depend on simple matching of byte sequences. An effective countermeasure against this kind of attacks is anomaly detection by monitoring the behavior of programs. In this paper, we propose an anomaly detection method that monitors System Services on Windows operating systems. The proposed method first characterizes the normal behavior of an application by using a profile of System Service calls. Specifically, it creates N-grams of System Service calls and utilizes it as a database representing the normal behavior. Then, it detects anomalies by comparing the behavior of monitored programs with the database. We implemented an anomaly detection system based on the proposed method and conducted experiments using realistic applications. Through the experiments, we have evaluated the size of database for characterization and the ability to detect anomalies.

Journal

  • 情報処理学会論文誌コンピューティングシステム(ACS)

    情報処理学会論文誌コンピューティングシステム(ACS) 47(SIG12(ACS15)), 420-429, 2006-09-15

    Information Processing Society of Japan (IPSJ)

References:  25

Cited by:  3

Codes

  • NII Article ID (NAID)
    110004782260
  • NII NACSIS-CAT ID (NCID)
    AA11833852
  • Text Lang
    JPN
  • Article Type
    Journal Article
  • ISSN
    1882-7829
  • NDL Article ID
    8516000
  • NDL Call No.
    Z74-C192
  • Data Source
    CJP  CJPref  NDL  NII-ELS  IPSJ 
Page Top