2016
DOI: 10.1002/cpe.4023
|View full text |Cite
|
Sign up to set email alerts
|

Bypassing system calls–based intrusion detection systems

Abstract: Machine learning augments today's intrusion detection system (IDS) capability to cope with unknown malware. However, if an attacker gains partial knowledge about the IDS' classifier, he can create a modified version of his malware, which can evade detection. In this article we present an IDS on the basis of various classifiers using system calls, executed by the inspected code as features. We then present a camouflage algorithm that is used to modify malicious code to be classified as benign, while preserving … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
8
0

Year Published

2017
2017
2021
2021

Publication Types

Select...
4
2

Relationship

1
5

Authors

Journals

citations
Cited by 12 publications
(8 citation statements)
references
References 30 publications
0
8
0
Order By: Relevance
“…Though API calls to the operating system kernel are the most popular behavioural features used in dynamic malware detection, there are several reasons why we have chosen machine activity features as inputs to the model instead. Firstly, recent work has shown that API calls are vulnerable to manipulation, causing neural networks to misclassify samples ( [22], [23]). As Burnap et al [24] argue"malware cannot avoid leaving a behavioural footprint" of machine activity, future work will necessarily examine the robustness of machine activity to adversarial crafting, but this is outside the scope of this paper.…”
Section: Methodsmentioning
confidence: 99%
“…Though API calls to the operating system kernel are the most popular behavioural features used in dynamic malware detection, there are several reasons why we have chosen machine activity features as inputs to the model instead. Firstly, recent work has shown that API calls are vulnerable to manipulation, causing neural networks to misclassify samples ( [22], [23]). As Burnap et al [24] argue"malware cannot avoid leaving a behavioural footprint" of machine activity, future work will necessarily examine the robustness of machine activity to adversarial crafting, but this is outside the scope of this paper.…”
Section: Methodsmentioning
confidence: 99%
“…There is another study also focusing the security issues for Intrusion Detection System (IDS) based on various classifiers using system calls, executed by the inspected code as feature, and thus a camouflage algorithm that is used to modify malicious code to be classified as benign, while preserving the code's functionality, for decision tree and random forest classifiers. The research shows that it is not enough to provide a decision tree–based classifier with a large training set to counter malware.…”
Section: Themes Of This Special Issuementioning
confidence: 99%
“…Therefore, intrusion detection technology has attracted much attention of researchers. [4][5][6][7] The ultimate purpose of intrusion detection is to classify network behavior into normal or abnormal according to certain rules. The goal of intrusion detection is to detect as many attacks as possible with the lowest false alarm rate, that is, the detection system must accurately detect abnormal or attack behavior.…”
Section: Introductionmentioning
confidence: 99%
“…[8][9][10] Therefore, it is necessary to establish a detection model that can accurately identify most of attacks, and handle large-scale data fast enough. Although the recent literatures [11][12][13] have solved these problems, they are not suitable for the detection of persistent attacks. Instead of detecting data flows individually, we subcontract data flows according to a certain rule (eg, all samples in each bag have the same source port), which can improve recall and precision of detection for persistent attacks.…”
Section: Introductionmentioning
confidence: 99%
See 1 more Smart Citation