On Gray-Box Program Tracking for Anomaly Detection

On Gray-Box Program Tracking for Anomaly Detection

Many host-based anomaly detection systems monitor a process ostensibly running a known program by observing the system calls the process makes. Numerous improvements to the precision of this approach have been proposed, such as tracking system call sequences, and various "gray-box" extensi...

Full description

Saved in:
Bibliographic Details
Main Authors: GAO, Debin, Reiter, Michael K., SONG, Dawn
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2004
Subjects:
Information Security
Online Access:https://ink.library.smu.edu.sg/sis_research/1241
http://dl.acm.org/citation.cfm?id=1251383
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-2240
record_format dspace
spelling sg-smu-ink.sis_research-22402010-12-22T08:24:06Z On Gray-Box Program Tracking for Anomaly Detection GAO, Debin Reiter, Michael K. SONG, Dawn Many host-based anomaly detection systems monitor a process ostensibly running a known program by observing the system calls the process makes. Numerous improvements to the precision of this approach have been proposed, such as tracking system call sequences, and various "gray-box" extensions such as examining the program counter or return addresses on the stack when system calls are made. In this paper, we perform the first systematic study of a wide spectrum of such methods. We show that prior approaches can be organized along three axes, revealing new possibilities for system-call-based program tracking. Through an empirical analysis of this design space, we shed light on the benefits and costs of various points in the space and identify new regions that appear to outperform prior approaches. In separate contributions, we demonstrate novel mimicry attacks on a recent proposal using return addresses for system-call-based program tracking, and then suggest randomization techniques to make such attacks more difficult. 2004-08-01T07:00:00Z text https://ink.library.smu.edu.sg/sis_research/1241 http://dl.acm.org/citation.cfm?id=1251383 Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Information Security
spellingShingle Information Security
GAO, Debin
Reiter, Michael K.
SONG, Dawn
On Gray-Box Program Tracking for Anomaly Detection
description Many host-based anomaly detection systems monitor a process ostensibly running a known program by observing the system calls the process makes. Numerous improvements to the precision of this approach have been proposed, such as tracking system call sequences, and various "gray-box" extensions such as examining the program counter or return addresses on the stack when system calls are made. In this paper, we perform the first systematic study of a wide spectrum of such methods. We show that prior approaches can be organized along three axes, revealing new possibilities for system-call-based program tracking. Through an empirical analysis of this design space, we shed light on the benefits and costs of various points in the space and identify new regions that appear to outperform prior approaches. In separate contributions, we demonstrate novel mimicry attacks on a recent proposal using return addresses for system-call-based program tracking, and then suggest randomization techniques to make such attacks more difficult.
format text
author GAO, Debin
Reiter, Michael K.
SONG, Dawn
author_facet GAO, Debin
Reiter, Michael K.
SONG, Dawn
author_sort GAO, Debin
title On Gray-Box Program Tracking for Anomaly Detection
title_short On Gray-Box Program Tracking for Anomaly Detection
title_full On Gray-Box Program Tracking for Anomaly Detection
title_fullStr On Gray-Box Program Tracking for Anomaly Detection
title_full_unstemmed On Gray-Box Program Tracking for Anomaly Detection
title_sort on gray-box program tracking for anomaly detection
publisher Institutional Knowledge at Singapore Management University
publishDate 2004
url https://ink.library.smu.edu.sg/sis_research/1241
http://dl.acm.org/citation.cfm?id=1251383
_version_ 1770570908506783744

Similar Items