Supervisory Control of Malicious Executables in Software Processes

This chapter models the execution of a software process as a discrete event system that can be represented by a Deterministic Finite State Automaton (DFSA) in the discrete event setting. Supervisory Control Theory (SCT) is applied for on-line detection of malicious executables and prevention of their spreading. The language measure theory, described in Chapter 1, is adapted for performance evaluation and comparison of the unsupervised process automaton and five different supervised process automata. Simulation experiments under different scenarios show the rate of correct detection of malicious executables to be 88.75%.

[1]  Salvatore J. Stolfo,et al.  Modeling system calls for intrusion detection with dynamic window sizes , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[2]  Christoph C. Michael,et al.  Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report , 2000, Recent Advances in Intrusion Detection.

[3]  Asok Ray,et al.  MEASURE OF REGULAR LANGUAGES , 2004 .

[4]  Diomidis Spinellis,et al.  Trace: a tool for logging operating system call transactions , 1994, OPSR.

[5]  Shigeki Goto,et al.  A new intrusion detection method based on process profiling , 2002, Proceedings 2002 Symposium on Applications and the Internet (SAINT 2002).

[6]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[7]  Tharam S. Dillon,et al.  A process state-transition analysis and its application to intrusion detection , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[8]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[9]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[10]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[11]  Asok Ray,et al.  Signed real measure of regular languages , 2002 .

[12]  Asok Ray,et al.  A language measure for performance evaluation of discrete-event supervisory control systems , 2004 .

[13]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[14]  Kishor S. Trivedi,et al.  Characterizing intrusion tolerant systems using a state transition model , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[15]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[16]  Gabor Karsai,et al.  An Approach to Self-adaptive Software Based on Supervisory Control , 2001, IWSAS.

[17]  Eugene H. Spafford,et al.  A generic virus scanner for C++ , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[18]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[19]  P. Ramadge,et al.  Supervisory control of a class of discrete event processes , 1987 .

[20]  Eugene H. Spafford,et al.  Computer Viruses as Artificial Life , 1994, Artificial Life.

[21]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[22]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[23]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.