Gray-box extraction of execution graphs for anomaly detection

Gao, Debin; Reiter, Michael K.; Song, Dawn

doi:10.1145/1030083.1030126

Cited by 93 publications

(75 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our return value sniffer is available under the GNU GPL at our website 5 . We show that using a window of return values, including values returned by sibling and parent functions, can make return value prediction as accurate as 97%.…”

Section: Resultsmentioning

confidence: 99%

“…A popular approach to observing program behavior utilizes anomaly detection on a profile derived from system call sequences [1][2][3][4][5]. Relatively little attention has been paid to the question of building profiles -in a non-invasive fashion -at a level of detail that includes the application's internal behavior.…”

Section: Observing Program Behaviormentioning

confidence: 99%

“…Feng et al [4] and Bhatkar et al [20] contain good overviews of the literature in this space. Most approaches to host-based intrusion detection perform anomaly detection [2,16,5,21] on sequences of system calls and their arguments [22] because the system call interface represents the services that user-level malcode, once activated, must use to effect persistent state changes and other forms of I/O. System call information is easy to collect; the strace(1) and ltrace(1) tools for Linux are built to do exactly that.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Return Value Predictability Profiles for Self–healing

Locasto

Stavrou²,

Cretu

et al. 2008

Advances in Information and Computer Security

View full text Add to dashboard Cite

Abstract. Current embryonic attempts at software self-healing produce mechanisms that are often oblivious to the semantics of the code they supervise. We believe that, in order to help inform runtime repair strategies, such systems require a more detailed analysis of dynamic application behavior. We describe how to profile an application by analyzing all function calls (including library and system) made by a process. We create predictability profiles of the return values of those function calls. Self-healing mechanisms that rely on a transactional approach to repair (that is, rolling back execution to a known safe point in control flow or slicing off the current function sequence) can benefit from these return value predictability profiles. Profiles built for the applications we tested can predict behavior with 97% accuracy given a context window of 15 functions. We also present a survey of the distribution of actual return values for real software as well as a novel way of visualizing both the macro and micro structure of the return value distributions. Our system helps demonstrate the feasibility of combining binary-level behavior profiling with self-healing repairs.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Observing Program Behaviormentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Return Value Predictability Profiles for Self–healing

Locasto

Stavrou²,

Cretu

et al. 2008

Advances in Information and Computer Security

View full text Add to dashboard Cite

show abstract

“…Such intrusion detection systems are efficient in detecting classical attacks which obviously modify the sequences of system calls emitted by the application, but are easy to evade by mimicing the sequence of system calls the application is supposed to emit [20]. To contend this kind of attacks, proposals have been done to enhance the behavioral model with process internal information, such as the content of the call stack or the value of the program counter at the time of system calls [12]. Such approaches, called gray-box approaches, indeed make mimicry attacks more difficult to succeed but remain unable to detect anything but control flow integrity violation.…”

Section: Introductionmentioning

confidence: 99%

Building an Application Data Behavior Model for Intrusion Detection

Sarrouy

Totel

Jouga

2009

Data and Applications Security XXIII

View full text Add to dashboard Cite

Abstract. Application level intrusion detection systems usually rely on the immunological approach. In this approach, the application behavior is compared at runtime with a previously learned application profile of the sequence of system calls it is allowed to emit. Unfortunately, this approach cannot detect anything but control flow violation and thus remains helpless in detecting the attacks that aim pure application data. In this paper, we propose an approach that would enhance the detection of such attacks. Our proposal relies on a data oriented behavioral model that builds the application profile out of dynamically extracted invariant constraints on the application data items.

show abstract

“…Intrusion detection systems (IDS) are the most popular type of anomaly detectors (there are countless references). But also operating systems are a prominent target for anomaly detectors (cf eg [2], [4] and [8]). …”

Section: Introductionmentioning

confidence: 99%

A Comprehensive Approach to Anomaly Detection in Relational Databases

Spalka

Lehnhardt²

2005

Data and Applications Security XIX

View full text Add to dashboard Cite

Abstract. Anomaly detection systems assume that a certain deviation from the regular behaviour of a system can be an indicator for a security violation. They proved their usefulness to networks and operating systems for a long time, but are much less prominent in the field of databases. Relational databases operate on attributes within relations, ie, on data with a very uniform structure, which makes them a prime target for anomaly detection systems. This work presents such a system for the database extension and the user interaction with a DBMS; it also proposes a misuse detection system for the database scheme. In a comprehensive investigation we compare two approaches to deal with the database extension, one based on reference values and one based on ∆-relations, and show that already standard statistical functions yield good detection results. We then apply our methods to the user interaction, which is split into user input and DBMS behaviour. All methods have been implemented in a semi-automatic anomaly detection tool for the MS SQL Server 2000.

show abstract

Gray-box extraction of execution graphs for anomaly detection

Cited by 93 publications

References 14 publications

Return Value Predictability Profiles for Self–healing

Return Value Predictability Profiles for Self–healing

Building an Application Data Behavior Model for Intrusion Detection

A Comprehensive Approach to Anomaly Detection in Relational Databases

Contact Info

Product

Resources

About