SpringerLink - Book Chapter

Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses

Book Series

Lecture Notes in Computer Science

Publisher

Springer Berlin / Heidelberg

ISSN

0302-9743 (Print) 1611-3349 (Online)

Volume

Volume 2516/2002

Book

Recent Advances in Intrusion Detection

DOI

10.1007/3-540-36084-0

2002

ISBN

978-3-540-00020-4

DOI

10.1007/3-540-36084-0_3

Pages

36-53

Subject Collection

Computer Science

SpringerLink Date

Tuesday, January 01, 2002

Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses

Frank Apap⁷, Andrew Honig⁷, Shlomo Hershkop⁷, Eleazar Eskin⁷ and Sal Stolfo⁷

(7)	Department of Computer Science, Columbia University, New York, NY 10027, USA

Abstract

We present a host-based intrusion detection system (IDS) for Microsoft Windows. The core of the system is an algorithm that detects attacks on a host machine by looking for anomalous accesses to the Windows Registry. The key idea is to first train a model of normal registry behavior on a windows host, and use this model to detect abnormal registry accesses at run-time. The normal model is trained using clean (attack-free) data. At run-time the model is used to check each access to the registry in real time to determine whether or not the behavior is abnormal and (possibly) corresponds to an attack. The system is effective in detecting the actions of malicious software while maintaining a low rate of false alarms

Frank Apap
Email: fapap@cs.columbia.edu

Andrew Honig
Email: arh@cs.columbia.edu

Shlomo Hershkop
Email: shlomo@cs.columbia.edu

Eleazar Eskin
Email: eeskin@cs.columbia.edu

Sal Stolfo
Email: sal@cs.columbia.edu

Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses

Fulltext Preview (Small, Large)