Gray-Box Extraction of Execution Graphs for Anomaly Detection

Gray-Box Extraction of Execution Graphs for Anomaly Detection

Many host-based anomaly detection systems monitor a process by observing the system calls it makes, and comparing these calls to a model of behavior for the program that the process should be executing. In this paper we introduce a new model of system call behavior, called an execution graph. The ex...

全面介紹

Saved in:
書目詳細資料
Main Authors: GAO, Debin, Reiter, Michael K., SONG, Dawn
格式: text
語言:English
出版: Institutional Knowledge at Singapore Management University 2004
主題:
Information Security
在線閱讀:https://ink.library.smu.edu.sg/sis_research/1242
http://dx.doi.org/10.1145/1030083.1030126
標簽: 添加標簽
沒有標簽, 成為第一個標記此記錄!
id sg-smu-ink.sis_research-2241
record_format dspace
spelling sg-smu-ink.sis_research-22412010-12-22T08:24:06Z Gray-Box Extraction of Execution Graphs for Anomaly Detection GAO, Debin Reiter, Michael K. SONG, Dawn Many host-based anomaly detection systems monitor a process by observing the system calls it makes, and comparing these calls to a model of behavior for the program that the process should be executing. In this paper we introduce a new model of system call behavior, called an execution graph. The execution graph is the first such model that both requires no static analysis of the program source or binary, and conforms to the control flow graph of the program. When used as the model in an anomaly detection system monitoring system calls, it offers two strong properties: (i) it accepts only system call sequences that are consistent with the control flow graph of the program; (ii) it is maximal given a set of training data, meaning that any extensions to the execution graph could permit some intrusions to go undetected. In this paper, we formalize and prove these claims. We additionally evaluate the performance of our anomaly detection technique. 2004-10-25T07:00:00Z text https://ink.library.smu.edu.sg/sis_research/1242 info:doi/10.1145/1030083.1030126 http://dx.doi.org/10.1145/1030083.1030126 Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Information Security
spellingShingle Information Security
GAO, Debin
Reiter, Michael K.
SONG, Dawn
Gray-Box Extraction of Execution Graphs for Anomaly Detection
description Many host-based anomaly detection systems monitor a process by observing the system calls it makes, and comparing these calls to a model of behavior for the program that the process should be executing. In this paper we introduce a new model of system call behavior, called an execution graph. The execution graph is the first such model that both requires no static analysis of the program source or binary, and conforms to the control flow graph of the program. When used as the model in an anomaly detection system monitoring system calls, it offers two strong properties: (i) it accepts only system call sequences that are consistent with the control flow graph of the program; (ii) it is maximal given a set of training data, meaning that any extensions to the execution graph could permit some intrusions to go undetected. In this paper, we formalize and prove these claims. We additionally evaluate the performance of our anomaly detection technique.
format text
author GAO, Debin
Reiter, Michael K.
SONG, Dawn
author_facet GAO, Debin
Reiter, Michael K.
SONG, Dawn
author_sort GAO, Debin
title Gray-Box Extraction of Execution Graphs for Anomaly Detection
title_short Gray-Box Extraction of Execution Graphs for Anomaly Detection
title_full Gray-Box Extraction of Execution Graphs for Anomaly Detection
title_fullStr Gray-Box Extraction of Execution Graphs for Anomaly Detection
title_full_unstemmed Gray-Box Extraction of Execution Graphs for Anomaly Detection
title_sort gray-box extraction of execution graphs for anomaly detection
publisher Institutional Knowledge at Singapore Management University
publishDate 2004
url https://ink.library.smu.edu.sg/sis_research/1242
http://dx.doi.org/10.1145/1030083.1030126
_version_ 1770570927086501888

相似書籍