New IDS project spots anomalous system behavior

A team of researchers from Binghamton University have been working on a new intrusion detection approach based on monitoring the behavior of systems and spotting when it differs from the one that is considered normal.

The project, titled “Intrusion Detection Systems: Object Access Graphs” and funded by Air Force Office of Scientific Research, is conducted by doctoral students Patricia Moat and Zachary Birnbaum, research scientist Andrey Dolgikh, and they are mentored by Victor Skormin, professor of electrical and computer engineering.

They have chosen not to concentrate on detecting malware, as it can change faster than new signatures for it can be created, but on the systems’ behavior.

“What we do is take a picture of what your computer is doing, and then we compare a picture of your computer behaving normally to one of an infected computer. Then, we just look at the differences,” Birnbaum said. “From that, we can see if your computer has an infection, what type of infection, and from there you know you’re under attack and you can take action.”

These pictures are taken by monitoring system calls that go hand in hand with every computer operation performed.

“System calls accumulated under normal network operation are converted to graph components, and used as part of the IDS normalcy profile,” they explained.

They have developed algorithms to find a system normalcy profile, to find anomalous deviations, to recognize previously detected attacks, and a real-time visualization system to present the results.

“Our IDS has the ability to instantly adopt changes in the normalcy definition,” they pointed out. “Our results demonstrate that achieving efficient anomaly detection is possible through the intelligent application of graph processing algorithms to system behavioral profiling.”

More details about the project can be found here.