Host-based intrusion detection by monitoring Windows registry accesses

@inproceedings{Topallar04, abstract = {We propose a host-based intrusion detection system for Microsoft Windows. The proposed system detects attacks on a host machine by monitoring anomalous accesses to the Windows registry. First, a model of normal registry behavior is trained for a host and then this model is used to detect abnormal registry accesses. The system trains a normal model using data that contains no attacks and then checks each access to the registry to determine whether or not the behavior is abnormal and corresponds to an attack. A new approach to register anomaly detection (RAD) is proposed in the meaning of model generator and anomaly detector. A self organizing map (SOM), a type of artificial neural network model, is used as an anomaly detection algorithm. The system is trained on a set of normal registry accesses using SOM algorithm and then it is used to detect the behavior of malicious software. The results of this study show that the proposed system is effective in detecting the behavior of malicious software and has a low rate of false alarms compared to other host-based intrusion detection systems.}, author = {Topallar, M. and Depren, M. O. and Anarim, E. and Ciliz, K. }, booktitle = {Signal Processing and Communications Applications Conference, 2004. Proceedings of the IEEE 12th}, citeulike-article-id = {3044901}, doi = {http://dx.doi.org/10.1109/SIU.2004.1338634}, journal = {Signal Processing and Communications Applications Conference, 2004. Proceedings of the IEEE 12th}, keywords = {cas\_chapter, ids, security, som}, pages = {728--731}, posted-at = {2008-07-26 20:29:35}, priority = {5}, title = {Host-based intrusion detection by monitoring Windows registry accesses}, url = {http://dx.doi.org/10.1109/SIU.2004.1338634}, year = {2004} }

TY - CONF ID - Topallar04 L3 - citeulike-article-id:3044901 TI - Host-based intrusion detection by monitoring Windows registry accesses T2 - Signal Processing and Communications Applications Conference, 2004. Proceedings of the IEEE 12th JF - Signal Processing and Communications Applications Conference, 2004. Proceedings of the IEEE 12th SP - 728 EP - 731 N2 - We propose a host-based intrusion detection system for Microsoft Windows. The proposed system detects attacks on a host machine by monitoring anomalous accesses to the Windows registry. First, a model of normal registry behavior is trained for a host and then this model is used to detect abnormal registry accesses. The system trains a normal model using data that contains no attacks and then checks each access to the registry to determine whether or not the behavior is abnormal and corresponds to an attack. A new approach to register anomaly detection (RAD) is proposed in the meaning of model generator and anomaly detector. A self organizing map (SOM), a type of artificial neural network model, is used as an anomaly detection algorithm. The system is trained on a set of normal registry accesses using SOM algorithm and then it is used to detect the behavior of malicious software. The results of this study show that the proposed system is effective in detecting the behavior of malicious software and has a low rate of false alarms compared to other host-based intrusion detection systems. KW - cas_chapter KW - ids KW - security KW - som AU - Topallar, M AU - Depren, MO AU - Anarim, E AU - Ciliz, K PY - 2004/// UR - http://dx.doi.org/10.1109/SIU.2004.1338634 ER -