Name
Abstract | ||
|---|---|---|
In this paper, we present a novel framework -- it uses the information in kernel structures of a process -- to do run-time analysis of the behavior of an executing program. Our analysis shows that classifying a process as malicious or benign -- using the information in kernel structures of a process -- is not only very accurate but also has very low processing overheads; as a result, this lightweight framework can be incorporated within operating system kernel. To provide a proof-of-concept of our thesis, we design and implement our system as a kernel module in Linux. We perform the time series analysis of 118 parameters of Linux task structures and pre-process them to come up with a minimal features' set of 11 features. Our analysis show that these features have remarkably different values for benign and malicious processes; as a result, a number of classifiers operating on these features provide 93% detection accuracy with 0% false alarm rate within 100 milliseconds. Last but not the least, we justify that it is very difficult for a crafty attacker to evade these low-level system specific features. |
Year | DOI | Venue |
|---|---|---|
2011 | 10.1109/icc.2011.5963012 | Communications |
Keywords | Field | DocType |
Linux,invasive software,operating system kernels,program diagnostics,task analysis,time series,Linux kernel module,Linux process,Linux task structure,benign process,executing program behavior,in-execution malware detection,low-level system specific feature,malicious process,operating system kernel,process classification,process kernel structure,processing overhead,run-time analysis,time series analysis | Kernel (linear algebra),Time series,Task analysis,Computer science,Feature extraction,Real-time computing,Constant false alarm rate,Operating system kernel,Malware,Operating system,Overhead (business),Embedded system | Conference |
ISSN | ISBN | Citations |
1550-3607 E-ISBN : 978-1-61284-231-8 | 978-1-61284-231-8 | 6 |
PageRank | References | Authors |
0.55 | 7 | 4 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Farrukh Shahzad | 1 | 55 | 4.00 |
| Sohail Bhatti | 2 | 6 | 0.55 |
| Muhammad Shahzad | 3 | 728 | 44.77 |
| Muddassar Farooq | 4 | 1221 | 83.47 |