System and method for mining execution traces with finite automata
First Claim
1. A computerized method for detecting anomalous behavior in an executing software program, said method comprising the steps of:
- generating a normal execution trace for the software program;
applying a learning algorithm to the normal execution trace to build a finite automaton;
applying an examination algorithm to the finite automaton to identify undesirable transition states in the finite automaton and to create a labeled finite automation; and
applying the labeled finite automaton to an execution trace associated with the executing software program to identify undesirable behavior.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method by which novel, malicious execution traces may be detected by applying a combination of finite automation and heuristic analysis techniques. Such execution traces may be obtained by instrumenting system-level operating system calls, as well as by other techniques, such as, but not limited to, reading error log files, such as Windows NT event logs. With proper instrumentation, known good and known malicious programs may be run and their execution traces monitored. From such monitoring, a model may be derived, which can indicate those execution traces typically associated with malicious software. With this information, novel malicious programs which invoke execution traces similar to known malicious traces may be detected, and such programs may be stopped before significant damage can occur.
45 Citations
19 Claims
-
1. A computerized method for detecting anomalous behavior in an executing software program, said method comprising the steps of:
-
generating a normal execution trace for the software program; applying a learning algorithm to the normal execution trace to build a finite automaton; applying an examination algorithm to the finite automaton to identify undesirable transition states in the finite automaton and to create a labeled finite automation; and applying the labeled finite automaton to an execution trace associated with the executing software program to identify undesirable behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
Specification