Abstract
With the advancement of information communication technology, people can access many useful services for human-centric computing. Although this advancement increases work efficiency and provides greater convenience to people, advanced security threats such as the Advanced Persistent Threat (APT) attack have been continuously increasing. Technical measures for protecting against an APT attack are desperately needed because APT attacks, such as the 3.20 Cyber Terror and SK Communications hacking incident, have occurred repeatedly and cause considerable damage, socially and economically. Moreover, there are limitations of the existing security devices designed to cope with APT attacks that continue persistently using zero-day malware. For this reason, we propose a malware detection method based on the behavior information of a process on the host PC. Our proposal overcomes the limitations of the existing signature-based intrusion detection systems. First, we defined 39 characteristics for demarcating malware from benign programs and collected 8.7 million characteristic parameter events when malware and benign programs were executed in a virtual-machine environment. Further, when an executable program is running on a host PC, we present the behavior information as an 83-dimensional vector by reconstructing the frequency of each characteristic parameter’s occurrence according to the process ID for the collected characteristic parameter data. It is possible to present more accurate behavior information by including the frequency of characteristic parameter events occurring in child processes. We use a C4.5 decision tree algorithm to detect malware in the database. The results of our proposed method show a 2.0 % false-negative detection rate and a 5.8 % false-positive detection rate.
Similar content being viewed by others
References
NSHC (2013) 3.20 South Korea Cyber Attack, Red Alert Research Report. http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf. Accessed 24 March 2015
Command Five Pty Ltd (2011) SK hack by an advanced persistent threat. http://www.commandfive.com/papers/C5_APT_SKHack.pdf. Accessed 24 March 2015
Tankard C (2011) Persistent threats and how to monitor and deter them. Netw Secur 2011(8):16–19
Symantec (2011) Symantec Internet Security Threat Report. https://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdf. Accessed 24 March 2015
RSA (2011) RSA 2011 cybercrime trends report. Whitepaper
Hu J (2010) Host-based anomaly intrusion detection. In: Handbook of information and communication security. Springer, Berlin, pp 235–255
Ashoor AS, Gore S (2011) Intrusion detection system: case study. In: Proceedings of international conference on advanced materials engineering, vol 15, pp 6–9
NIST, Special Publication 800-30 Revision 1. Guide for conducting risk assessments. http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf. Accessed 24 March 2015
RSA (2011) RSA Security Brief: Mobilizing intelligent security operations for advanced persistent threats. http://www.emc.com/collateral/industry-overview/11313-apt-brf.pdf, February 2011. Accessed 24 March 2015
Son K, Lee T, Won D (2014) Design for Zombie PCs and APT Attack Detection based on traffic analysis. J Korea Inst Inf Secur Cryptol 24(3):491–498
Verizon. Threats on the horizon—the rise of the advanced persistent threat. http://www.fortinet.com/sites/default/files/solutionbrief/threats-on-the-horizon-rise-of-advanced-persistent-threats.pdf. Accessed 24 March 2015
Tandon G (2008) Machine learning for host-based anomaly detection. Dissertation, Florida Institue of Technology
Wang W, Guan XH, Zhang XL (2004) Modeling program behaviors by hidden Markov models for intrusion detection. In: Proceedings of international conference on machine learning and cybernetics, pp 2830–2835
Warrender C, Forrest S, Pearlmutter B (1999) Detecting intrusions using system calls: alternative data models. In: Proceedings of IEEE symposium on security and privacy, pp 133–145
Murtaza SS, Khreich W, Hamou-Lhadj A, Couture M (2013) A host-based anomaly detection approach by representing system calls as states of kernel modules. In: Proceedings of 24th international symposium on software reliability engineering (ISSRE), pp 431–440
Kaur H, Gill N (2013) Host based anomaly detection using fuzzy genetic approach (FGA). Int J Comput Appl 74(20):5–9
Santos I et al (2010) Idea: Opcode-sequence-based malware detection. In: Proceedings of the 2nd international symposium on engineering secure software and systems (ESSoS 2010). Lecture notes in computer science, vol 5965, pp 35–43
Kim HJ, Lee S-W (2013) A hardware-based string matching using state transition compression for deep packet inspection. ETRI J 35(1):154–157. doi:10.4218/etrij.13.0212.0165
Song J, Kim H, Gkelias A (2014) iVisher: real-time detection of caller ID spoofing. ETRI J 36(5):865–875. doi:10.4218/etrij.14.0113.0798
Cho J, Shon T, Choi K, Moon J (2013) Dynamic learning model update of hybrid-classifiers for intrusion detection. J Supercomput 64(2):522–526
**ong W, **ong N, Yang LT, Park JH, Hu H, Wang Q (2013) An anomaly-based detection in ubiquitous network using the equilibrium state of the catastrophe theory. J Supercomput 64(2):274–294
** H, **ang G, Zou D, Wu S, Zhao F, Li M, Zheng W (2013) A VMM-based intrusion prevention system in cloud computing environment. J Supercomput 66(3):1133–1151
Cuckoo sandbox. http://www.cuckoosandbox.org. Accessed 24 March 2015
Process monitor. http://technet.microsoft.com/ko-kr/sysinternals/bb896645. Accessed 24 March 2015
Malshare. http://malshare.com/. Accessed 24 March 2015
WEKA Open Sources tools for Data Mining. http://www.cs.waikato.ac.nz/ml/weka/. Accessed 24 March 2015
Acknowledgments
This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. B0101-15-1293, Cyber targeted attack recognition and trace-back technology based-on long-term historic analysis of multi-source data).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Moon, D., Pan, S.B. & Kim, I. Host-based intrusion detection system for secure human-centric computing. J Supercomput 72, 2520–2536 (2016). https://doi.org/10.1007/s11227-015-1506-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-015-1506-9