Automatically Adapting a Trained Anomaly Detector to Software Patches
In order to detect a compromise of a running process based on it deviating from its program’s normal system-call behavior, an anomaly detector must first be trained with traces of system calls made by the program when provided clean inputs. When a patch for the monitored program is released, however...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2009
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/475 http://dx.doi.org/10.1007/978-3-642-04342-0_8 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-1474 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-14742010-09-24T06:36:22Z Automatically Adapting a Trained Anomaly Detector to Software Patches LI, Peng GAO, Debin Reiter, Michael K. In order to detect a compromise of a running process based on it deviating from its program’s normal system-call behavior, an anomaly detector must first be trained with traces of system calls made by the program when provided clean inputs. When a patch for the monitored program is released, however, the system call behavior of the new version might differ from that of the version it replaces, rendering the anomaly detector too inaccurate for monitoring the new version. In this paper we explore an alternative to collecting traces of the new program version in a clean environment (which may take effort to set up), namely adapting the anomaly detector to accommodate the differences between the old and new program versions. We demonstrate that this adaptation is feasible for such an anomaly detector, given the output of a state-of-the-art binary difference analyzer. Our analysis includes both proofs of properties of the adapted detector, and empirical evaluation of adapted detectors based on four software case studies. 2009-09-01T07:00:00Z text https://ink.library.smu.edu.sg/sis_research/475 info:doi/10.1007/978-3-642-04342-0_8 http://dx.doi.org/10.1007/978-3-642-04342-0_8 Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information Security |
| spellingShingle |
Information Security LI, Peng GAO, Debin Reiter, Michael K. Automatically Adapting a Trained Anomaly Detector to Software Patches |
| description |
In order to detect a compromise of a running process based on it deviating from its program’s normal system-call behavior, an anomaly detector must first be trained with traces of system calls made by the program when provided clean inputs. When a patch for the monitored program is released, however, the system call behavior of the new version might differ from that of the version it replaces, rendering the anomaly detector too inaccurate for monitoring the new version. In this paper we explore an alternative to collecting traces of the new program version in a clean environment (which may take effort to set up), namely adapting the anomaly detector to accommodate the differences between the old and new program versions. We demonstrate that this adaptation is feasible for such an anomaly detector, given the output of a state-of-the-art binary difference analyzer. Our analysis includes both proofs of properties of the adapted detector, and empirical evaluation of adapted detectors based on four software case studies. |
| format |
text |
| author |
LI, Peng GAO, Debin Reiter, Michael K. |
| author_facet |
LI, Peng GAO, Debin Reiter, Michael K. |
| author_sort |
LI, Peng |
| title |
Automatically Adapting a Trained Anomaly Detector to Software Patches |
| title_short |
Automatically Adapting a Trained Anomaly Detector to Software Patches |
| title_full |
Automatically Adapting a Trained Anomaly Detector to Software Patches |
| title_fullStr |
Automatically Adapting a Trained Anomaly Detector to Software Patches |
| title_full_unstemmed |
Automatically Adapting a Trained Anomaly Detector to Software Patches |
| title_sort |
automatically adapting a trained anomaly detector to software patches |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2009 |
| url |
https://ink.library.smu.edu.sg/sis_research/475 http://dx.doi.org/10.1007/978-3-642-04342-0_8 |
| _version_ |
1770570448934797312 |