NORT: Normal Behavior Monitor
Institute National University of Singapore  Department Computer Science  People Narcisa Andreea Milea, Siau-Cheng Khoo, David Lo and Cristi Pop  Email {mileanar, specmine} 'at' comp.nus.edu.sg  Contact (65) 651-61862
DESCRIPTION NORT is a tool for establishing signatures of normal behaving applications and monitoring the current behavior of applications and checking against the learned specifications.

Traditional antivirus solutions require signatures of either the malware binary or its behavior and fail to detect new malware or variants of the same malware. Our approach on the malware detection problem starts from the assumption that malware will be harmful to the normal system and will cause changes to legitimate processes. We try to capture such changes and examine how to better approximate a system~Rs normal behavior by presenting NOrmal behavioR moniTor (NORT) real-time specification mining and monitoring system.

Knowing the normal behavior of a system allows us to determine if the system is acting abnormally. This is done by measuring the deviation from normality, without the need of signatures. Our system first constructs a model of the expected, normal behavior of applications, by analyzing events that are generated during their normal operation and then monitors all subsequent events to identify deviations, from the learned model. The executables that are loaded into memory are scanned and specifications are extracted as they run, without even using a sandbox.

Traces of system calls are used as input events and specifications in the form of patterns of system calls and entropy are extracted and used to profile and distinguish between acceptable and unacceptable behavior. We are proposing a new algorithm on mining minimal infrequent iterative sequential patterns and a novel application of mining infrequent and frequent patterns to security and malware detection. Our method will apply the principle of defense in depth and use the proven method of entropy along with knowledge discovery algorithms.


In order to run NORT, your system needs to have the following requirements:


For example usage, please refer to our user manual.


This release includes the binary version of NORT and examples of data: nort-0.1.7z (MB) [released on 1st Nov, 2011].

The zipped file is secured with a password. As a faculty policy, we are asked to know your purpose for downloading the tool. Please help us to fill up the following form, and a password will be shown to you. You may need to read our term of usage before proceeding with the dowload.


Last updated on 1st Nov, 2011.