Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001
DOI: 10.1109/secpri.2001.924295
|View full text |Cite
|
Sign up to set email alerts
|

A fast automaton-based method for detecting anomalous program behaviors

Abstract: Forrest et a1 introduced a new intrusion detection approach that ident$es anomalous sequences of system calls executed by programs. Since their work, anomaly detection on system call sequences has become perhaps the most successful approach for detecting novel intrusions. A natural way for learning sequences is to use a jinite-state automaton (FSA). However; previous research seemed to indicate that FSA-learning is coniputationally expensive, that it cannot be completely automated, or that the space usage of t… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
4
1

Citation Types

0
303
0
1

Publication Types

Select...
4
2
1

Relationship

0
7

Authors

Journals

citations
Cited by 355 publications
(304 citation statements)
references
References 13 publications
0
303
0
1
Order By: Relevance
“…An important characteristic that attackers use is that the default protection model permits programs to invoke any system call from any function, but in actuality each system call is only invoked from a few locations in the legal code. While some previous work has exploited the idea of binding system calls or other security sensitive events with context [5,18,[22][23][24], this paper explores this approach further. We introduce the concept of waypoints to provide trustworthy control flow information, and show how to apply the information in anomaly detection.…”
Section: Attack Modelsmentioning
confidence: 99%
See 3 more Smart Citations
“…An important characteristic that attackers use is that the default protection model permits programs to invoke any system call from any function, but in actuality each system call is only invoked from a few locations in the legal code. While some previous work has exploited the idea of binding system calls or other security sensitive events with context [5,18,[22][23][24], this paper explores this approach further. We introduce the concept of waypoints to provide trustworthy control flow information, and show how to apply the information in anomaly detection.…”
Section: Attack Modelsmentioning
confidence: 99%
“…The third layer of defense attempts to prevent the executing attack code from doing further harm though the system interface. Existing work at this stage includes anomaly detection [5,6,12,24,25,27], process randomization [2,10,13,28,36], and instruction set randomization [34,35].…”
Section: Related Workmentioning
confidence: 99%
See 2 more Smart Citations
“…The branch of research most related to our approach is anomaly-based application integrity checking [16,34,50,99,119], which validates application behavior from the vantage point of a secure operating system. These approaches work well when an adversary has difficulty infiltrating the host system, however, they are inappropriate for the cheating problem where the adversary owns the machine and can readily alter the operating system to disable detection tools.…”
Section: Related Workmentioning
confidence: 99%