RAD
Registry
Anomaly Detection
Part of the IDS research project at Columbia University.
People
Frank Apap -
fsa3@columbia.edu
Andrew Honig - arh21@columbia.edu
Project Abstract
We
present a host-based intrusion detection system for
Microsoft
Windows. algorithm detects attacks on a host machine by
looking
for anomalous accesses to the Windows Registry. The key
idea is to
first train a model of normal registry behavior for a
host and to
use this model to detect abnormal registry accesses
at run-time.
The system trains a normal model using data that
contains no attacks
and then at run-time checks each access to
the registry in real
time to determine whether or not the
behavior is abnormal and
corresponds to an attack. We evaluate
the system by training the
system on a set of normal registry
accesses and then use the system
to detect the actions of
malicious software.
Project Status
We are currently polishing our paper (pdf, ps).
We plan on
implementing some new features to our training and
detection
algorithm. We are also setting up a demo for the RAD
system.
Screenshots
Soon
we will show you some pictures of the model generator and anomaly
detector in action.
Project Data
As
discussed in our paper we are publishing the training data we used to
build our models.
This data may be useful to someone who is also
doing research on the Windows Registry.
The data is available here