Gray-Box Extraction of Execution Graphs for Anomaly Detection
Many host-based anomaly detection systems monitor a process by observing the system calls it makes, and comparing these calls to a model of behavior for the program that the process should be executing. In this paper we introduce a new model of system call behavior, called an execution graph. The ex...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2004
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/1242 http://dx.doi.org/10.1145/1030083.1030126 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-2241 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-22412010-12-22T08:24:06Z Gray-Box Extraction of Execution Graphs for Anomaly Detection GAO, Debin Reiter, Michael K. SONG, Dawn Many host-based anomaly detection systems monitor a process by observing the system calls it makes, and comparing these calls to a model of behavior for the program that the process should be executing. In this paper we introduce a new model of system call behavior, called an execution graph. The execution graph is the first such model that both requires no static analysis of the program source or binary, and conforms to the control flow graph of the program. When used as the model in an anomaly detection system monitoring system calls, it offers two strong properties: (i) it accepts only system call sequences that are consistent with the control flow graph of the program; (ii) it is maximal given a set of training data, meaning that any extensions to the execution graph could permit some intrusions to go undetected. In this paper, we formalize and prove these claims. We additionally evaluate the performance of our anomaly detection technique. 2004-10-25T07:00:00Z text https://ink.library.smu.edu.sg/sis_research/1242 info:doi/10.1145/1030083.1030126 http://dx.doi.org/10.1145/1030083.1030126 Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information Security |
| spellingShingle |
Information Security GAO, Debin Reiter, Michael K. SONG, Dawn Gray-Box Extraction of Execution Graphs for Anomaly Detection |
| description |
Many host-based anomaly detection systems monitor a process by observing the system calls it makes, and comparing these calls to a model of behavior for the program that the process should be executing. In this paper we introduce a new model of system call behavior, called an execution graph. The execution graph is the first such model that both requires no static analysis of the program source or binary, and conforms to the control flow graph of the program. When used as the model in an anomaly detection system monitoring system calls, it offers two strong properties: (i) it accepts only system call sequences that are consistent with the control flow graph of the program; (ii) it is maximal given a set of training data, meaning that any extensions to the execution graph could permit some intrusions to go undetected. In this paper, we formalize and prove these claims. We additionally evaluate the performance of our anomaly detection technique. |
| format |
text |
| author |
GAO, Debin Reiter, Michael K. SONG, Dawn |
| author_facet |
GAO, Debin Reiter, Michael K. SONG, Dawn |
| author_sort |
GAO, Debin |
| title |
Gray-Box Extraction of Execution Graphs for Anomaly Detection |
| title_short |
Gray-Box Extraction of Execution Graphs for Anomaly Detection |
| title_full |
Gray-Box Extraction of Execution Graphs for Anomaly Detection |
| title_fullStr |
Gray-Box Extraction of Execution Graphs for Anomaly Detection |
| title_full_unstemmed |
Gray-Box Extraction of Execution Graphs for Anomaly Detection |
| title_sort |
gray-box extraction of execution graphs for anomaly detection |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2004 |
| url |
https://ink.library.smu.edu.sg/sis_research/1242 http://dx.doi.org/10.1145/1030083.1030126 |
| _version_ |
1770570927086501888 |