Title :
Dynamical System Theory for the Detection of Anomalous Behavior in Computer Programs
Author :
Kanaskar, Nitin ; Seker, Remzi ; Bian, Jiang ; Phoha, Vir V.
Author_Institution :
Univ. of Arkansas at Little Rock, Little Rock, AR, USA
Abstract :
Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system´s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system´s (program´s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.
Keywords :
invasive software; systems analysis; DARPA-98 dataset; anomalous behavior detection; applications execution space; blackbox dynamical system; code injection detection; computer program; dynamical system theory; program behavior analysis; system call; Complexity theory; Entropy; Malware; Time series analysis; Anomalous behavior; approximate entropy; central tendency measure (CTM) dynamical system; intrusion detection; percent determinism; percent ratio; percent recurrence; recurrence plots; system call sequence;
Journal_Title :
Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on
DOI :
10.1109/TSMCC.2012.2208187
