A Planning Approach to Monitoring Computer Programs’ Behavior

Alexandre Cukier; Ronen I. Brafman; Yotam Perkal; David Tolpin

doi:10.1007/978-3-319-94147-9_19

A Planning Approach to Monitoring Computer Programs’ Behavior

Alexandre Cukier
, Ronen I. Brafman
, Yotam Perkal
, David Tolpin

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

We describe a novel approach to monitoring high level behaviors using concepts from AI planning. Our goal is to understand what a program is doing based on its system call trace. This ability is particularly important for detecting malware. We approach this problem by building an abstract model of the operating system using the STRIPS planning language, casting system calls as planning operators. Given a system call trace, we simulate the corresponding operators on our model and by observing the properties of the state reached, we learn about the nature of the original program and its behavior. Thus, unlike most statistical detection methods that focus on syntactic features, our approach is semantic in nature. Therefore, it is more robust against obfuscation techniques used by malware that change the outward appearance of the trace but not its effect. We demonstrate the efficacy of our approach by evaluating it on actual system call traces.

Original language	English
Title of host publication	Cyber Security Cryptography and Machine Learning - Second International Symposium, CSCML 2018, Proceedings
Editors	Itai Dinur, Shlomi Dolev, Sachin Lodha
Publisher	Springer Verlag
Pages	243-254
Number of pages	12
ISBN (Print)	9783319941462
DOIs	https://doi.org/10.1007/978-3-319-94147-9_19
State	Published - 1 Jan 2018
Event	2nd International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2018 - Beer-Sheva, Israel Duration: 21 Jun 2018 → 22 Jun 2018

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10879 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	2nd International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2018
Country/Territory	Israel
City	Beer-Sheva
Period	21/06/18 → 22/06/18

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-319-94147-9_19

Cite this

Cukier, A., Brafman, R. I., Perkal, Y., & Tolpin, D. (2018). A Planning Approach to Monitoring Computer Programs’ Behavior. In I. Dinur, S. Dolev, & S. Lodha (Eds.), Cyber Security Cryptography and Machine Learning - Second International Symposium, CSCML 2018, Proceedings (pp. 243-254). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10879 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-94147-9_19

Cukier, Alexandre ; Brafman, Ronen I. ; Perkal, Yotam et al. / A Planning Approach to Monitoring Computer Programs’ Behavior. Cyber Security Cryptography and Machine Learning - Second International Symposium, CSCML 2018, Proceedings. editor / Itai Dinur ; Shlomi Dolev ; Sachin Lodha. Springer Verlag, 2018. pp. 243-254 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{ac0913743aab49b5992f84b5ec73b380,

title = "A Planning Approach to Monitoring Computer Programs{\textquoteright} Behavior",

abstract = "We describe a novel approach to monitoring high level behaviors using concepts from AI planning. Our goal is to understand what a program is doing based on its system call trace. This ability is particularly important for detecting malware. We approach this problem by building an abstract model of the operating system using the STRIPS planning language, casting system calls as planning operators. Given a system call trace, we simulate the corresponding operators on our model and by observing the properties of the state reached, we learn about the nature of the original program and its behavior. Thus, unlike most statistical detection methods that focus on syntactic features, our approach is semantic in nature. Therefore, it is more robust against obfuscation techniques used by malware that change the outward appearance of the trace but not its effect. We demonstrate the efficacy of our approach by evaluating it on actual system call traces.",

author = "Alexandre Cukier and Brafman, \{Ronen I.\} and Yotam Perkal and David Tolpin",

note = "Publisher Copyright: {\textcopyright} 2018, Springer International Publishing AG, part of Springer Nature.; 2nd International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2018 ; Conference date: 21-06-2018 Through 22-06-2018",

year = "2018",

month = jan,

day = "1",

doi = "10.1007/978-3-319-94147-9\_19",

language = "English",

isbn = "9783319941462",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "243--254",

editor = "Itai Dinur and Shlomi Dolev and Sachin Lodha",

booktitle = "Cyber Security Cryptography and Machine Learning - Second International Symposium, CSCML 2018, Proceedings",

address = "Germany",

}

Cukier, A, Brafman, RI, Perkal, Y & Tolpin, D 2018, A Planning Approach to Monitoring Computer Programs’ Behavior. in I Dinur, S Dolev & S Lodha (eds), Cyber Security Cryptography and Machine Learning - Second International Symposium, CSCML 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10879 LNCS, Springer Verlag, pp. 243-254, 2nd International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2018, Beer-Sheva, Israel, 21/06/18. https://doi.org/10.1007/978-3-319-94147-9_19

A Planning Approach to Monitoring Computer Programs’ Behavior. / Cukier, Alexandre; Brafman, Ronen I.; Perkal, Yotam et al.
Cyber Security Cryptography and Machine Learning - Second International Symposium, CSCML 2018, Proceedings. ed. / Itai Dinur; Shlomi Dolev; Sachin Lodha. Springer Verlag, 2018. p. 243-254 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10879 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A Planning Approach to Monitoring Computer Programs’ Behavior

AU - Cukier, Alexandre

AU - Brafman, Ronen I.

AU - Perkal, Yotam

AU - Tolpin, David

PY - 2018/1/1

Y1 - 2018/1/1

N2 - We describe a novel approach to monitoring high level behaviors using concepts from AI planning. Our goal is to understand what a program is doing based on its system call trace. This ability is particularly important for detecting malware. We approach this problem by building an abstract model of the operating system using the STRIPS planning language, casting system calls as planning operators. Given a system call trace, we simulate the corresponding operators on our model and by observing the properties of the state reached, we learn about the nature of the original program and its behavior. Thus, unlike most statistical detection methods that focus on syntactic features, our approach is semantic in nature. Therefore, it is more robust against obfuscation techniques used by malware that change the outward appearance of the trace but not its effect. We demonstrate the efficacy of our approach by evaluating it on actual system call traces.

AB - We describe a novel approach to monitoring high level behaviors using concepts from AI planning. Our goal is to understand what a program is doing based on its system call trace. This ability is particularly important for detecting malware. We approach this problem by building an abstract model of the operating system using the STRIPS planning language, casting system calls as planning operators. Given a system call trace, we simulate the corresponding operators on our model and by observing the properties of the state reached, we learn about the nature of the original program and its behavior. Thus, unlike most statistical detection methods that focus on syntactic features, our approach is semantic in nature. Therefore, it is more robust against obfuscation techniques used by malware that change the outward appearance of the trace but not its effect. We demonstrate the efficacy of our approach by evaluating it on actual system call traces.

UR - https://www.scopus.com/pages/publications/85049033618

U2 - 10.1007/978-3-319-94147-9_19

DO - 10.1007/978-3-319-94147-9_19

M3 - Conference contribution

AN - SCOPUS:85049033618

SN - 9783319941462

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 243

EP - 254

BT - Cyber Security Cryptography and Machine Learning - Second International Symposium, CSCML 2018, Proceedings

A2 - Dinur, Itai

A2 - Dolev, Shlomi

A2 - Lodha, Sachin

PB - Springer Verlag

T2 - 2nd International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2018

Y2 - 21 June 2018 through 22 June 2018

ER -

Cukier A, Brafman RI, Perkal Y, Tolpin D. A Planning Approach to Monitoring Computer Programs’ Behavior. In Dinur I, Dolev S, Lodha S, editors, Cyber Security Cryptography and Machine Learning - Second International Symposium, CSCML 2018, Proceedings. Springer Verlag. 2018. p. 243-254. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-94147-9_19

A Planning Approach to Monitoring Computer Programs’ Behavior

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this