Process Flow Features as a Host-based Event Knowledge Representation

Author

Benhur E. Pacer

Date of Award

6-14-2012

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Gilbert L. Peterson, PhD.

Abstract

The detection of malware is of great importance but even non-malicious software can be used for malicious purposes. Monitoring processes and their associated information can characterize normal behavior and help identify malicious processes or malicious use of normal process by measuring deviations from the learned baseline. This exploratory research describes a novel host feature generation process that calculates statistics of an executing process during a window of time called a process flow. Process flows are calculated from key process data structures extracted from computer memory using virtual machine introspection. Each flow cluster generated using k-means of the flow features represents a behavior where the members of the cluster all exhibit similar behavior. Testing explores associations between behavior and process flows that in the future may be useful for detecting unauthorized behavior or behavioral trends on a host. Analysis of two data collections demonstrate that this novel way of thinking of process behavior as process flows can produce baseline models in the form of clusters that do represent specific behaviors.

AFIT Designator

AFIT-GCS-ENG-12-06

DTIC Accession Number

ADA563042

Recommended Citation

Pacer, Benhur E., "Process Flow Features as a Host-based Event Knowledge Representation" (2012). Theses and Dissertations. 1144.
https://scholar.afit.edu/etd/1144