SystemService監視によるWindows向け異常検知システム機構 [in Japanese] Detecting Anomalies on Windows by Monitoring System Services [in Japanese]
-
- 島本 大輔 SHIMAMOTO DAISUKE
- 東京大学大学院情報理工学系研究科コンピュータ科学専攻 Department of Computer Science, Graduate School of Information Science and Technology, the University of Tokyo
-
- 大山恵弘 OYAMA YOSHIHIRO
- 電気通信大学情報工学科 Department of Information Science, the University of Electro-Communications
-
- 米澤 明憲 YONEZAWA AKINORI
- 東京大学大学院情報理工学系研究科コンピュータ科学専攻 Department of Computer Science, Graduate School of Information Science and Technology, the University of Tokyo
Access this Article
Search this Article
Author(s)
-
- 島本 大輔 SHIMAMOTO DAISUKE
- 東京大学大学院情報理工学系研究科コンピュータ科学専攻 Department of Computer Science, Graduate School of Information Science and Technology, the University of Tokyo
-
- 大山恵弘 OYAMA YOSHIHIRO
- 電気通信大学情報工学科 Department of Information Science, the University of Electro-Communications
-
- 米澤 明憲 YONEZAWA AKINORI
- 東京大学大学院情報理工学系研究科コンピュータ科学専攻 Department of Computer Science, Graduate School of Information Science and Technology, the University of Tokyo
Abstract
近年,不正なプログラムによる攻撃はきわめて高度化している.多相型ウィルスや新種の攻撃コードなどによるいくつかの攻撃は,データのバイト列を攻撃のシグネチャと単純にマッチングする方式によるセキュリティシステムでは検知できないことがある.このような攻撃を検知するための有効な対策の1つに,プログラムの動作の監視による異常検知がある.本論文では,WindowsのSystem Serviceの監視による異常検知方式を提案する.提案方式では,まず,アプリケーションの正常な動作をSystem Service呼び出し動作のプロファイルから特徴化する.具体的には,System Service呼び出しのN-gram集合を生成し,それを正常な動作を表現するデータベースとして用いる.そして,監視対象のプログラムの動作をそのデータベースと比較することにより異常を検知する.我々は提案方式に基づく異常検知システムを実装し,現実的なアプリケーションを用いて実験を行った.実験では,特徴化に用いられるデータベースのサイズや異常を検知する能力について評価を行った.In recent years, attacks by malicious programs are becoming highly sophisticated. Some new exploits and polymorphic viruses can evade the detection of security systems which depend on simple matching of byte sequences. An effective countermeasure against this kind of attacks is anomaly detection by monitoring the behavior of programs. In this paper, we propose an anomaly detection method that monitors System Services on Windows operating systems. The proposed method first characterizes the normal behavior of an application by using a profile of System Service calls. Specifically, it creates N-grams of System Service calls and utilizes it as a data base representing the normal behavior. Then, it detects anomalies by comparing the behavior of monitored programs with the database. We implemented an anomaly detection system based on the proposed method and conducted experiments using realistic applications. Through the experiments, we have evaluated the size of database for characterization and the ability to detect anomalies.
In recent years, attacks by malicious programs are becoming highly sophisticated. Some new exploits and polymorphic viruses can evade the detection of security systems which depend on simple matching of byte sequences. An effective countermeasure against this kind of attacks is anomaly detection by monitoring the behavior of programs. In this paper, we propose an anomaly detection method that monitors System Services on Windows operating systems. The proposed method first characterizes the normal behavior of an application by using a profile of System Service calls. Specifically, it creates N-grams of System Service calls and utilizes it as a database representing the normal behavior. Then, it detects anomalies by comparing the behavior of monitored programs with the database. We implemented an anomaly detection system based on the proposed method and conducted experiments using realistic applications. Through the experiments, we have evaluated the size of database for characterization and the ability to detect anomalies.
Journal
-
- 情報処理学会論文誌コンピューティングシステム(ACS)
-
情報処理学会論文誌コンピューティングシステム(ACS) 47(SIG12(ACS15)), 420-429, 2006-09-15
Information Processing Society of Japan (IPSJ)
References: 25
-
1
- IE Under Attack : Microsoft Ponders Emergency Patch
-
eWeek
http://www.eweek.com/article2/0,1895,1942566,00.asp, 2006
Cited by (1)
-
2
- MS Windows NT Kernel-mode User and GDI White Paper
-
Microsoft
http://www.microsoft.com/technet/archive/ntwrkstn/evaluate/featfunc/kernelwp.mspx
Cited by (1)
-
3
- Sony's Rootkit Fiasco
-
CNet News.com
http://news.com.com/Sonys+rootkit+fiasco/2009-1029_3-5961248.html, 2005
Cited by (1)
-
4
- Windows NT System-Call Hooking
-
RUSSINOVICH M.
Dr. Dobbs Journal, 1997
Cited by (1)
-
5
- Automated Response Using System-Call Delays
-
SOMAYAJI A.
Proc. 9th USENIX Security Symposium, Denver, Colorado, USA, 2000
Cited by (1)
-
6
- On the Detection of Anomalous System Call Arguments
-
KRUGEL C.
Proc. 8th European Symposium on Research in Computer Security (ESORICS 2003), Gjovik, Norway, 2003
Cited by (1)
-
7
- Anomaly Detection Using Call Stack Information
-
FENG H. H.
Proc. 2003 IEEE Symposium on Security and Privacy, Berkeley, CA, 2003
Cited by (1)
-
8
- Temporal Signatures for Intrusion Detection
-
JONES A.
Proc. 17th Annual Computer Security Applications Conference, New Orleans, 2001, 2001
Cited by (1)
-
9
- Characterizing the Behavior of a Program Using Multiple-Length N-grams
-
MARCEAU C.
Proc. New Security Paradigms Workshop 2000 (NSPW 2000), Cork, Ireland, 2000
Cited by (1)
-
10
- Modeling System Calls for Intrusion Detection with Dynamic Window Sizes
-
ESKIN E.
Proc. DARPA Information Survivability Conference and Exposition (DISCEX 2001), Anaheim, USA, 2001
Cited by (1)
-
11
- Detours : Binary Interception of Win32 Functions
-
HUNT G.
Proc. 3rd USENIX Windows NT Symposium, Seattle, 1999, 1999
Cited by (1)
-
12
- Mediating Connectors : A Non-ByPassable Process Wrapping Technology
-
BALZER R. M.
Proc. DARPA Information Survivability Conference and Exposition (DISCEX 2000), Hilton Head, South Carolina, 2000
Cited by (1)
-
13
- A Host Intrusion Prevention System for Windows Operating Systems
-
BATTISTONI R.
Proc. 9th European Symposium On Research in Computer Security (ESORICS 2004), Sophia Antipolis, France, 2004
Cited by (1)
-
14
- Preventing the Execution of Unauthorized Win32 Applications
-
SCHMID M.
Proc. DARPA Information Survivability Conference and Exposition (DISCEX 2001), 2001
Cited by (1)
-
15
- MEF : Malicious Email Filter-A UNIX Mail Filter That Detects Malicious Windows Executables
-
SCHULTZ M. G.
Proc. 2001 USENIX Annual Technical Conference, FREENIX Track, Boston, USA, 2001
Cited by (1)
-
16
- Static Analysis of Executables to Detect Malicious Patterns
-
CHRISTODORESCU M.
Proc. 12th USENIX Security Symposium, Washington DC, 2003, 2003
Cited by (1)
-
17
- Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases
-
Symantec Corporation
US Patent 6,357,008, 2002
Cited by (1)
-
18
- Detecting Unknown Computer Viruses-A New Approach
-
MORI A.
Proc. ISSS 2003, 2003
Cited by (1)
-
19
- A Sence of self form Unix Process
-
FORREST S.
Proceedings of 1996 IEEE Symposium of Computer Security and Privacy, 120-128, 1996
Cited by (18)
-
20
- Detecting Intrusions using System Calls : Alternative Data Models
-
WARRENDER C.
Proceedings of the IEEE Symposium on Security and Privacy, 1999, 133-145, 1999
Cited by (21)
-
21
- A Fast Automaton-based Method for Detecting Anomalous Program Behaviors
-
SEKAR R.
Proc. the 2001 IEEE Symposium on Security and Privacy, 2001
Cited by (12)
-
22
- Intrusion Detection via Static Analysis
-
WAGNER D.
proc. of the 2001 IEEE Symposium on Security and Privacy, May, 2001
Cited by (19)
-
23
- Optimization of Intrusion Detection System Based on Static Analyses [in Japanese]
-
ABE HIROTAKE , OYAMA YOSHIHIRO , OKA MIZUKI , KATO KAZUHIKO
情報処理学会論文誌コンピューティングシステム(ACS) 45(SIG03(ACS5)), 11-20, 2004-03-15
IPSJ References (29) Cited by (14)
-
24
- Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses
-
APAP F.
Proc. 5th International Workshop on the Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland, 2002
Cited by (1)
-
25
- Process Migration : A Generalized Approach using a Virtualizing Operating System
-
BOYD T.
Proc. 22nd International Conference on Distributed Computing Systems (ICDCS 2002), Vienna, 2002
Cited by (1)
Cited by: 3
-
1
- Malware Detection Method by Windows System Service Call Classification using Self-Organizing Maps [in Japanese]
-
KAKIMOTO Keisuke , TANAKA Hidehiko
IPSJ SIG Notes 2008(45(2008-CSEC-041)), 43-48, 2008-05-15
IPSJ References (4)
-
2
- Implementation of Protecting Program Behiviour Rules for Intrusion Prevention System [in Japanese]
-
FURUYA YUSUKE , SAITO SHOICHI , MATSUO HIROSHI
研究報告システムソフトウェアと オペレーティング・システム(OS) 2009-OS-112(7), 1-9, 2009-07-29
IPSJ References (12) Cited by (1)
-
3
- A Classification and Feature Extraction based on the Static Analysis on the Computer Virus Codes [in Japanese]
-
IWAMOTO Kazuki , WASAKI Katsumi
IEICE technical report 107(397), 107-113, 2007-12-12
CiNii PDF - Open Access References (13) Cited by (2)