Expressive, Efficient and Obfuscation Resilient Behavior Based IDS

Tokhtabayev, Arnur G.; Skormin, Victor A.; Dolgikh, Andrey

doi:10.1007/978-3-642-15497-3_42

Cited by 12 publications

(6 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The functionalities of interest were defined in the abstract system domain through activity diagrams, and the specified functionality was recognized by Colored Petri Net. They also built behavior‐based intrusion detection systems based on this approach to offer an effective solution against modern malware . Liu et al used a combination of techniques from the behavior monitors and Colored Petri Net for detecting virus and worms.…”

Section: Related Workmentioning

confidence: 99%

Privacy theft malware multi-process collaboration analysis

Fan

Wang

Cheng

et al. 2013

Security Comm. Networks

View full text Add to dashboard Cite

Privacy theft malware has become a serious and challenging problem to cyber security. Previous methods are of different categories: one focuses on the outbound network traffic and the other one dives into the inside information flow of the program. We incorporate dynamic behavior analysis with network traffic analysis and present an abstract model called Privacy Petri Net (PPN), which is more applicable to various kinds of malware and more understandable to users. In consideration of the multi‐process technique adopted by new malware, we also model the collaborative behaviors between different malicious functionality modules with PPN. We apply our approach to real‐world malware, and the experiment result shows that our approach can effectively find categories, content, source, and destination of the privacy theft behavior of the malware sample. Copyright © 2013 John Wiley & Sons, Ltd.

show abstract

Section: Related Workmentioning

confidence: 99%

Privacy theft malware multi-process collaboration analysis

Fan

Wang

Cheng

et al. 2013

Security Comm. Networks

View full text Add to dashboard Cite

show abstract

“…However, a GSR is only defined for file viruses and it does not allow for tracing alternative realizations. Moreover, due to the token dynamics, the CP-net [14] recognition mechanism is more efficient than the one proposed in [3], i.e. state machines.…”

Section: Binary Self-replicationmentioning

confidence: 99%

“…Currently, behavioral metamorphism has not received much attention, and as such has not been studied or defined in the literature, however, an approach for behavioral obfuscation is given in [14]. This approach implies the use of several techniques to alter the realization of the given functionality so that it would have a different footprint in the system call domain.…”

Section: Behavioral Metamorphismmentioning

confidence: 99%

“…Similar to multipartite obfuscation [14], another approach for behavioral metamorphism would be dynamic scattering of malicious functionalities among different benign processes so that none of the processes would have a consistent system call pattern.…”

Section: Behavioral Metamorphismmentioning

confidence: 99%

“…Next, the algorithm introduces IPC between a source process and a sink process. To achieve this, the algorithm adds send and recv operations as a parallel flow (lines [10][11][12][13][14] between the node assigning the variable (source node) and the current operation writing the assigned variable (sink node). Lines 15-20 set PID and attribute expressions of the newly introduced recv node and the current sink operation node, so that the two operations belong to the same process.…”

Section: Specification Generalization Anti-obfuscationmentioning

confidence: 99%

See 2 more Smart Citations

Anomaly-Based Intrusion Detection Systems Utilizing System Call Data

Skormin¹

2012

Self Cite

View full text Add to dashboard Cite

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number.

show abstract