Endpoint Data Classification Using Markov Chains

Abstract

Behavior based analysis of software executed in a sandbox environment has become an established part of malware and APT detection. In this paper, we explore a unique approach to conduct such an analysis based on data generated by live corporate workstations. We specifically collect high-level Windows events via a real-time kernel monitoring agent and build event propagation trees on top of it. Those trees are representative for the behavior exhibited by the programs running on the monitored machine. After a necessary discretization phase we use a moderately modified version of the Markov chain algorithm to create a distance matrix based on the discretized behavioral profiles. Distance based clustering is then applied to classify the processes in question. We evaluated our approach on a goodware dataset collected on actively used workstations. Initial results show that the Markov approach can be used to reliably classify arbitrary processes and helps identify potentially harmful outliers.