A sense of self for Unix processes

Forrest, Stephanie; Hofmeyr, Steven; Somayaji, Anil; Longstaff, Thomas A.

doi:10.1109/secpri.1996.502675

Cited by 1,094 publications

(964 citation statements)

References 5 publications

Supporting

Mentioning

945

Contrasting

Unclassified

Order By: Relevance

“…For example, supervised learning has been applied to detect insider threats. System call traces from normal activity and anomaly data are gathered [13,14]; features are extracted from this data using n-gram and finally, trained with classifiers. Lia and Vemuri exploit text classification idea in insider threat domain [15] where each system call is treated as a word in bag of words model.…”

Section: Related Workmentioning

confidence: 99%

Supervised Learning for Insider Threat Detection Using Stream Mining

Parveen¹,

Weger²,

Thuraisingham³

et al. 2011

2011 IEEE 23rd International Conference on Tools With Artificial Intelligence

View full text Add to dashboard Cite

Abstract-Insider threat detection requires the identification of rare anomalies in contexts where evolving behaviors tend to mask such anomalies. This paper proposes and tests an ensemble-based stream mining algorithm based on supervised learning that addresses this challenge by maintaining an evolving collection of multiple models to classify dynamic data streams of unbounded length. The result is a classifier that exhibits substantially increased classification accuracy for real insider threat streams relative to traditional supervised learning (traditional SVM and one-class SVM) and other single-model approaches.

show abstract

Section: Related Workmentioning

confidence: 99%

Supervised Learning for Insider Threat Detection Using Stream Mining

Parveen¹,

Weger²,

Thuraisingham³

et al. 2011

2011 IEEE 23rd International Conference on Tools With Artificial Intelligence

View full text Add to dashboard Cite

show abstract

“…Anomaly detection models the normal behaviors of the subjects being monitored and identifies anything that significantly deviates from the normal behaviors as attacks. Many techniques have been proposed for anomaly detection, including statistical approaches (e.g., Haystack [36], NIDES/STAT [15]), machine learning approaches (e.g., TIM [37], IBL [20]), computer immunological approaches [7], [8], [39], and specification based approaches [17], [18], [35], [38]. Misuse detection models the patterns of known attacks or vulnerabilities, and identifies actions that conform to such patterns as attacks.…”

Section: Intrusion Detectionmentioning

confidence: 99%

LAD: Localization anomaly detection for wireless sensor networks

Fang

Ningi

2006

Journal of Parallel and Distributed Computing

134

130

View full text Add to dashboard Cite

Abstract-In wireless sensor networks (WSNs), sensors' locations play a critical role in many applications. Having a GPS receiver on every sensor node is costly. In the past, a number of location discovery (localization) schemes have been proposed. Most of these schemes share a common feature: they use some special nodes, called beacon nodes, which are assumed to know their own locations (e.g., through GPS receivers or manual configuration). Other sensors discover their locations based on the reference information provided by these beacon nodes.Most of the beacon-based localization schemes assume a benign environment, where all beacon nodes are supposed to provide correct reference information. However, when the sensor networks are deployed in a hostile environment, where beacon nodes can be compromised, such an assumption does not hold anymore.In this paper, we propose a general scheme to detect localization anomalies that are caused by adversaries. Our scheme is independent from the localization schemes. We formulate the problem as an anomaly intrusion detection problem, and we propose a number of ways to detect localization anomalies. We have conducted simulations to evaluate the performance of our scheme, including the false positive rates, the detection rates, and the resilience to node compromises.

show abstract

“…Buffer overflow attacks are the best-known example of this type of attacks. For years, people have been working on preventing, detecting, and tolerating these attacks [1][2][3][4][5][6][7][8][9][10][11][12][13]. Despite these efforts, current systems are not secure.…”

Section: Introductionmentioning

confidence: 99%

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths

Chapin

2004

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Many intrusions amplify rights or circumvent defenses by issuing system calls in ways that the original process did not. Defense against these attacks emphasizes preventing attacking code from being introduced to the system and detecting or preventing execution of the injected code. Another approach, where this paper fits in, is to assume that both injection and execution have occurred, and to detect and prevent the executing code from subverting the target system. We propose a method using waypoints: marks along the normal execution path that a process must follow to successfully access operating system services. Waypoints actively log trustworthy context information as the program executes, allowing our anomaly monitor to both monitor control flow and restrict system call permissions to conform to the legitimate needs of application functions. We describe our design and implementation of waypoints and present results showing that waypoint-based anomaly monitors can detect a subset of mimicry attacks and impossible paths.

show abstract

A sense of self for Unix processes

Cited by 1,094 publications

References 5 publications

Supervised Learning for Insider Threat Detection Using Stream Mining

Supervised Learning for Insider Threat Detection Using Stream Mining

LAD: Localization anomaly detection for wireless sensor networks

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths

Contact Info

Product

Resources

About