Behavioural Comparison of Systems for Anomaly Detection

The internet is a bottomless cesspool of malicious software that attacks users and their devices or servers that offer services---on a worldwide scale. A defence against this constant barrage of attacks is difficult. While knowledge of previous attacks helps to prevent some new attacks, a determined attacker will almost always succeed. This paper proposes an approach to detect novel attacks via a comparison of system behaviour. A combination of a system-wide events collection and subsequent data analysis fingerprints processes and their file access behaviour. A comparison of these fingerprints results in seven "sameness" categories for processes, sorted from completely identical behaviour to unique and therefore highly suspicious. This categorisation provides guidance for further detailed assessment, if required. Results and insights from a prototype implementation suggest that the presented approach is a strategy for the detection of novel attacks.