DESCRIPTION NORT is a tool for establishing signatures of normal behaving applications and monitoring the current behavior of applications and checking against the learned specifications.

Traditional antivirus solutions require signatures of either the malware binary or its behavior and fail to detect new malware or variants of the same malware. Our approach on the malware detection problem starts from the assumption that malware will be harmful to the normal system and will cause changes to legitimate processes. We try to capture such changes and examine how to better approximate a system~Rs normal behavior by presenting NOrmal behavioR moniTor (NORT) real-time specification mining and monitoring system.

Knowing the normal behavior of a system allows us to determine if the system is acting abnormally. This is done by measuring the deviation from normality, without the need of signatures. Our system first constructs a model of the expected, normal behavior of applications, by analyzing events that are generated during their normal operation and then monitors all subsequent events to identify deviations, from the learned model. The executables that are loaded into memory are scanned and specifications are extracted as they run, without even using a sandbox.

Traces of system calls are used as input events and specifications in the form of patterns of system calls and entropy are extracted and used to profile and distinguish between acceptable and unacceptable behavior. We are proposing a new algorithm on mining minimal infrequent iterative sequential patterns and a novel application of mining infrequent and frequent patterns to security and malware detection. Our method will apply the principle of defense in depth and use the proven method of entropy along with knowledge discovery algorithms.