1 research outputs found
A Planning Approach to Monitoring Behavior of Computer Programs
We describe a novel approach to monitoring high level behaviors using
concepts from AI planning. Our goal is to understand what a program is doing
based on its system call trace. This ability is particularly important for
detecting malware. We approach this problem by building an abstract model of
the operating system using the STRIPS planning language, casting system calls
as planning operators. Given a system call trace, we simulate the corresponding
operators on our model and by observing the properties of the state reached, we
learn about the nature of the original program and its behavior. Thus, unlike
most statistical detection methods that focus on syntactic features, our
approach is semantic in nature. Therefore, it is more robust against
obfuscation techniques used by malware that change the outward appearance of
the trace but not its effect. We demonstrate the efficacy of our approach by
evaluating it on actual system call traces