Using Execution Profiles to Identify Process Behavior Classes

A computer process can exhibit various behaviors (general notion of operations) during its lifetime. Interacting with files, performing computational tasks, and network interactions are example process behaviors. Identifying the current behavior of computer processes can be used to improve resource management and policy enforcement. Inspecting the application instructions (static analysis) can be done to provide a notion of what an application can potentially do; however, certain behaviors may only be exhibited during the actual execution and is dependent on the intended application.This paper investigates a novel dynamic analysis approach that uses execution profiles to identify process behavior. An execution profile is a compact frequency representation of the executed machine instructions associated with an application. For this preliminary work, execution profiles are used in combination with Gaussian Mixture Models (GMMs) to determine if different processes (associated with different applications) cluster together into behavior groups. Experimental results using execution profiles with six different Linux utilities indicate processes cluster based on behavior, unlike static-based analysis.