Anomaly detection using call stack information

Feng, H.H.; Kolesnikov, Oleg; Fogla, Prahlad; Lee, W.; Gong, Weibo

doi:10.1109/secpri.2003.1199328

Cited by 240 publications

(237 citation statements)

References 13 publications

Supporting

Mentioning

236

Contrasting

Unclassified

Order By: Relevance

“…In this paper, we use function-level scoping as the context of a waypoint. If function C calls function D, then the active context is that of D; upon function return, the active context is again that of C. Waypoints provide control flow context for security checking, which supports call flow checking approaches such as that in Feng, et al [5] and allows us to check whether the process being monitored has permission to make the requested system call in the context of the current waypoint.…”

Section: ) Execve()mentioning

confidence: 99%

“…An important characteristic that attackers use is that the default protection model permits programs to invoke any system call from any function, but in actuality each system call is only invoked from a few locations in the legal code. While some previous work has exploited the idea of binding system calls or other security sensitive events with context [5,18,[22][23][24], this paper explores this approach further. We introduce the concept of waypoints to provide trustworthy control flow information, and show how to apply the information in anomaly detection.…”

Section: Attack Modelsmentioning

confidence: 99%

“…Buffer overflow attacks are the best-known example of this type of attacks. For years, people have been working on preventing, detecting, and tolerating these attacks [1][2][3][4][5][6][7][8][9][10][11][12][13]. Despite these efforts, current systems are not secure.…”

Section: Introductionmentioning

confidence: 99%

“…for comparison to the profile, typical anomaly detectors use system calls [6,[14][15][16][17] or function calls [5,18] as the granularity for events.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths

Chapin

2004

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Many intrusions amplify rights or circumvent defenses by issuing system calls in ways that the original process did not. Defense against these attacks emphasizes preventing attacking code from being introduced to the system and detecting or preventing execution of the injected code. Another approach, where this paper fits in, is to assume that both injection and execution have occurred, and to detect and prevent the executing code from subverting the target system. We propose a method using waypoints: marks along the normal execution path that a process must follow to successfully access operating system services. Waypoints actively log trustworthy context information as the program executes, allowing our anomaly monitor to both monitor control flow and restrict system call permissions to conform to the legitimate needs of application functions. We describe our design and implementation of waypoints and present results showing that waypoint-based anomaly monitors can detect a subset of mimicry attacks and impossible paths.

show abstract

Section: ) Execve()mentioning

confidence: 99%

Section: Attack Modelsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

“…for comparison to the profile, typical anomaly detectors use system calls [6,[14][15][16][17] or function calls [5,18] as the granularity for events.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths

Chapin

2004

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The branch of research most related to our approach is anomaly-based application integrity checking [16,34,50,99,119], which validates application behavior from the vantage point of a secure operating system. These approaches work well when an adversary has difficulty infiltrating the host system, however, they are inappropriate for the cheating problem where the adversary owns the machine and can readily alter the operating system to disable detection tools.…”

Section: Related Workmentioning

confidence: 99%

Addressing Automated Adversaries of Network Applications

Feng

Kaiser

2000

View full text Add to dashboard Cite

The Internet supports a perpetually evolving patchwork of network services and applications. Popular applications include the World Wide Web, online commerce, online banking, email, instant messaging, multimedia streaming, and online video games. Practically all networked applications have a common objective: to directly or indirectly process requests generated by humans. Some users employ automation to establish an unfair advantage over non-automated users. The perceived and substantive damages that automated, adversarial users inflict on an application degrade its enjoyment and usability by legitimate users, and result in reputation and revenue loss for the application's service provider.This dissertation examines three challenges critical to addressing the undesirable automation of networked applications. The first challenge explores individual methods that detect various automated behaviors. Detection methods range from observing unusual network-level request traffic to sensing anomalous client operation at the application-level. Since many detection methods are not individually conclusive, the second challenge investigates how to combine detection methods to accurately identify automated adversaries. The third challenge considers how to leverage the available knowledge to disincentivize adversary automation by nullifying their advantage over legitimate users.The thesis of this dissertation is that: there exist methods to detect automated behaviors with which an application's service provider can identify and then systematically disincentivize automated adversaries. This dissertation evaluates this thesis using research performed on two network applications that have different access to the client software: Web-based services and multiplayer online games. I would like to thank my advisor, Professor Wu-chang Feng, for his guidance throughout the course of this work. When I was stuck on a problem, his valuable advice always offered me a new perspective from which to approach the problem.From providing me with a framework for my research to reading and patiently editing my papers, each of his many contributions nudged me incrementally closer to completing my dissertation. I would also like to express my appreciation to

show abstract

Online behavior classification for anomaly detection in self‐x real‐time systems

Rammig

Stahl

2015

Concurrency and Computation

View full text Add to dashboard Cite

SUMMARYAutonomous adaptation in self-adapting embedded real-time systems introduces novel risks as it may lead to unforeseen system behavior. An anomaly detection framework integrated in a real-time operating system can ease the identification of such suspicious novel behavior and, thereby, offers the potential to enhance the reliability of the considered self-x system. However, anomaly detection is based on knowledge about normal behavior. When dealing with self-reconfiguring applications, normal behavior changes. Hence, knowledge base requires adaptation or even re-construction at runtime. The stringent restrictions of real-time systems considering runtime and memory consumption make this task to a really challenging problem. We present our idea for online construction of application behavior knowledge that does not rely on training phase. The applications' behavior is defined by the application's system call invocations. For the knowledge base, we exploit suffix trees as they offer potentials to represent application behavior patterns and associated information in a compact manner. The online algorithm provided by suffix trees is a basis to construct the knowledge base with low computational effort. Anomaly detection and classification is integrated into the online construction method. New behavioral patterns do not unconditionally update the behavior knowledge base. They are evaluated in a context-related manner inspired by Danger Theory, a special discipline of artificial immune systems.

show abstract

Anomaly detection using call stack information

Abstract: The

Cited by 240 publications

References 13 publications

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths

Addressing Automated Adversaries of Network Applications

Online behavior classification for anomaly detection in self‐x real‐time systems

Contact Info

Product

Resources

About