상세정보
학술지
Host-based Intrusion Detection System for Secure Human-centric Computing
- 발행일
- 201607
- 출처
- Journal of Supercomputing, v.72 no.7, pp.2520-2536
- ISSN
- 0920-8542
- 출판사
- Springer
- 협약과제
- 16MH2100, 다중소스 데이터의 Long-term History 분석기반 사이버 표적공격 인지 및 추적기술 개발, 김익균
- 초록
- With the advancement of information communication technology, people can access many useful services for human-centric computing. Although this advancement increases work efficiency and provides greater convenience to people, advanced security threats such as the Advanced Persistent Threat (APT) attack have been continuously increasing. Technical measures for protecting against an APT attack are desperately needed because APT attacks, such as the 3.20 Cyber Terror and SK Communications hacking incident, have occurred repeatedly and cause considerable damage, socially and economically. Moreover, there are limitations of the existing security devices designed to cope with APT attacks that continue persistently using zero-day malware. For this reason, we propose a malware detection method based on the behavior information of a process on the host PC. Our proposal overcomes the limitations of the existing signature-based intrusion detection systems. First, we defined 39 characteristics for demarcating malware from benign programs and collected 8.7 million characteristic parameter events when malware and benign programs were executed in a virtual-machine environment. Further, when an executable program is running on a host PC, we present the behavior information as an 83-dimensional vector by reconstructing the frequency of each characteristic parameter's occurrence according to the process ID for the collected characteristic parameter data. It is possible to present more accurate behavior information by including the frequency of characteristic parameter events occurring in child processes. We use a C4.5 decision tree algorithm to detect malware in the database. The results of our proposed method show a 2.0혻% false-negative detection rate and a 5.8혻% false-positive detection rate.
- KSP 제안 키워드
- 3-dimensional, APT attacks, C4.5 Decision Tree(C4.5 DT), C4.5 Decision Tree Algorithm, Characteristic parameters, Cyber terror, Decision Tree(DT), Detection Method, Host-based intrusion detection, Human-centric computing, Information and communication technology(ICT)