Native API based Windows anomaly intrusion detection method using SVM

While many researches of host anomaly detection system using system calls under UNIX/UNIX-like systems have been done but little in Windows systems, we do the similar research under Windows platforms via tracing the sequences of Windows native APIs which are considered as the Windows system calls. In this article, we first introduce native API briefly and then divide the captured sequences with slide window method to establish normal pattern database. Then support vector machine method is used for anomaly detection due to its advantages in small-scale dataset and generalization capability. The main purpose of this paper is to prove that Windows native APIs are plausibly possible data source for host anomaly detection system under Windows platforms

[1]  Zhen Liu,et al.  Combining static analysis and dynamic learning to build accurate intrusion detection models , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[2]  Bernhard E. Boser,et al.  A training algorithm for optimal margin classifiers , 1992, COLT '92.

[3]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[4]  Sven B. Schreiber Undocumented Windows 2000 Secrets: A Programmer's Cookbook , 2001 .

[5]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[6]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[7]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[8]  Anup Ghosh,et al.  Simple, state-based approaches to program-based anomaly detection , 2002, TSEC.

[9]  Gary Nebbett Windows NT/2000 Native API Reference , 2000 .

[10]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[11]  Matthew C. Elder,et al.  Recent worms: a survey and trends , 2003, WORM '03.