Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection
Host-based anomaly detectors monitor the control-flow and data-flow behavior of system calls to detect intrusions. Control-flow-based detectors monitor the sequence of system calls, while data-flow-based detectors monitor the data propagation among arguments of system calls. Besides pointing out tha...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2008
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/441 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-1440 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-14402010-09-24T06:36:22Z Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection LI, Peng PARK, Hyundo GAO, Debin Fu, Jianming Host-based anomaly detectors monitor the control-flow and data-flow behavior of system calls to detect intrusions. Control-flow-based detectors monitor the sequence of system calls, while data-flow-based detectors monitor the data propagation among arguments of system calls. Besides pointing out that data-flow-based detectors can be layered on top of control-flow-based ones (or vice versa) to improve accuracy, there is a large gap between the two research directions in that research along one direction had been fairly isolated and had not made good use of results from the other direction. In this paper, we show how data-flow analysis can leverage results from control-flow analysis to learn more accurate and useful rules for anomaly detection. Our results show that the proposed control-flow-analysis-aided data-flow analysis reveals some accurate and useful rules that cannot be learned in prior data-flow analysis techniques. These relations among system call arguments and return values are useful in detecting many real attacks. A trace-driven evaluation shows that the proposed technique enjoys low false-alarm rates and overhead when implemented on a production server. 2008-10-01T07:00:00Z text https://ink.library.smu.edu.sg/sis_research/441 info:doi/10.1109/ACSAC.2008.17 Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University system call argument data-flow control-flow anomaly detection Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
system call argument data-flow control-flow anomaly detection Information Security |
| spellingShingle |
system call argument data-flow control-flow anomaly detection Information Security LI, Peng PARK, Hyundo GAO, Debin Fu, Jianming Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection |
| description |
Host-based anomaly detectors monitor the control-flow and data-flow behavior of system calls to detect intrusions. Control-flow-based detectors monitor the sequence of system calls, while data-flow-based detectors monitor the data propagation among arguments of system calls. Besides pointing out that data-flow-based detectors can be layered on top of control-flow-based ones (or vice versa) to improve accuracy, there is a large gap between the two research directions in that research along one direction had been fairly isolated and had not made good use of results from the other direction. In this paper, we show how data-flow analysis can leverage results from control-flow analysis to learn more accurate and useful rules for anomaly detection. Our results show that the proposed control-flow-analysis-aided data-flow analysis reveals some accurate and useful rules that cannot be learned in prior data-flow analysis techniques. These relations among system call arguments and return values are useful in detecting many real attacks. A trace-driven evaluation shows that the proposed technique enjoys low false-alarm rates and overhead when implemented on a production server. |
| format |
text |
| author |
LI, Peng PARK, Hyundo GAO, Debin Fu, Jianming |
| author_facet |
LI, Peng PARK, Hyundo GAO, Debin Fu, Jianming |
| author_sort |
LI, Peng |
| title |
Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection |
| title_short |
Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection |
| title_full |
Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection |
| title_fullStr |
Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection |
| title_full_unstemmed |
Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection |
| title_sort |
bridging the gap between data-flow and control-flow analysis for anomaly detection |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2008 |
| url |
https://ink.library.smu.edu.sg/sis_research/441 |
| _version_ |
1770570424797626368 |