Current software behavior models lack the ability to conduct semantic analysis. We propose a new model to detect abnormal behaviors based on a function semantic tree. First, a software behavior model in terms of state graph and software function is developed. Next, anomaly detection based on the model is conducted in two main steps: calculating deviation density of suspicious behaviors by comparison with state graph and detecting function sequence by function semantic rules. Deviation density can well detect control flow attacks by a deviation factor and a period division. In addition, with the help of semantic analysis, function semantic rules can accurately detect application layer attacks that fail in traditional approaches. Finally, a case study of RSS software illustrates how our approach works. Case study and a contrast experiment have shown that our model has strong expressivity and detection ability, which outperforms traditional behavior models.
Yingxu LAI
Beijing University of Technology
Wenwen ZHANG
Beijing University of Technology
Zhen YANG
Beijing University of Technology
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Yingxu LAI, Wenwen ZHANG, Zhen YANG, "Software Abnormal Behavior Detection Based on Function Semantic Tree" in IEICE TRANSACTIONS on Information,
vol. E98-D, no. 10, pp. 1777-1787, October 2015, doi: 10.1587/transinf.2015EDP7098.
Abstract: Current software behavior models lack the ability to conduct semantic analysis. We propose a new model to detect abnormal behaviors based on a function semantic tree. First, a software behavior model in terms of state graph and software function is developed. Next, anomaly detection based on the model is conducted in two main steps: calculating deviation density of suspicious behaviors by comparison with state graph and detecting function sequence by function semantic rules. Deviation density can well detect control flow attacks by a deviation factor and a period division. In addition, with the help of semantic analysis, function semantic rules can accurately detect application layer attacks that fail in traditional approaches. Finally, a case study of RSS software illustrates how our approach works. Case study and a contrast experiment have shown that our model has strong expressivity and detection ability, which outperforms traditional behavior models.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2015EDP7098/_p
Copy
@ARTICLE{e98-d_10_1777,
author={Yingxu LAI, Wenwen ZHANG, Zhen YANG, },
journal={IEICE TRANSACTIONS on Information},
title={Software Abnormal Behavior Detection Based on Function Semantic Tree},
year={2015},
volume={E98-D},
number={10},
pages={1777-1787},
abstract={Current software behavior models lack the ability to conduct semantic analysis. We propose a new model to detect abnormal behaviors based on a function semantic tree. First, a software behavior model in terms of state graph and software function is developed. Next, anomaly detection based on the model is conducted in two main steps: calculating deviation density of suspicious behaviors by comparison with state graph and detecting function sequence by function semantic rules. Deviation density can well detect control flow attacks by a deviation factor and a period division. In addition, with the help of semantic analysis, function semantic rules can accurately detect application layer attacks that fail in traditional approaches. Finally, a case study of RSS software illustrates how our approach works. Case study and a contrast experiment have shown that our model has strong expressivity and detection ability, which outperforms traditional behavior models.},
keywords={},
doi={10.1587/transinf.2015EDP7098},
ISSN={1745-1361},
month={October},}
Copy
TY - JOUR
TI - Software Abnormal Behavior Detection Based on Function Semantic Tree
T2 - IEICE TRANSACTIONS on Information
SP - 1777
EP - 1787
AU - Yingxu LAI
AU - Wenwen ZHANG
AU - Zhen YANG
PY - 2015
DO - 10.1587/transinf.2015EDP7098
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E98-D
IS - 10
JA - IEICE TRANSACTIONS on Information
Y1 - October 2015
AB - Current software behavior models lack the ability to conduct semantic analysis. We propose a new model to detect abnormal behaviors based on a function semantic tree. First, a software behavior model in terms of state graph and software function is developed. Next, anomaly detection based on the model is conducted in two main steps: calculating deviation density of suspicious behaviors by comparison with state graph and detecting function sequence by function semantic rules. Deviation density can well detect control flow attacks by a deviation factor and a period division. In addition, with the help of semantic analysis, function semantic rules can accurately detect application layer attacks that fail in traditional approaches. Finally, a case study of RSS software illustrates how our approach works. Case study and a contrast experiment have shown that our model has strong expressivity and detection ability, which outperforms traditional behavior models.
ER -