An abnormal file access behavior detection approach based on file path diversity

Information security is a great challenge for organizations in our modern information world. Existing security facilities like Firewalls, Intrusion Detection Systems and Antivirus are not enough to guarantee the security of information. File is an important carrier of information, which is the intent of quite a number of attackers, in this paper, we propose an FPD-based approach for detecting abnormal file access behaviours. FPD (File Path Diversity) is a quantized value which measures how far a set of file paths is spread out, and in which abnormal file access behaviours and normal ones show significant differences, making it an effective indicator for detecting malicious processes that controlled by attackers to search and steal valuable files. An algorithm of calculating FPD values is presented, as well as a prototype system based on FPD for detecting malicious processes. Experiments demonstrate that FPD is very effective in detecting malicious processes with abnormal file access behaviours, we get a best result of a100% Detection Rate and a 3.85% False Positive Rate.