Gray-box extraction of execution graphs for anomaly detection

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2004, Pages 318-329

  Gao, Debin ^a   Reitert, Michael K ^a   Song, Dawn ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Anomaly detection; Control flow graph; Intrusion detection; System call monitoring

Indexed keywords

COMPUTER OPERATING SYSTEMS; COMPUTER SOFTWARE; GRAPH THEORY; HTTP; INTERFACES (COMPUTER); MATHEMATICAL MODELS; SERVERS; THEOREM PROVING;

ANOMALY DETECTION; CONTROL FLOW GRAPH; INTRUSION DETECTION; SYSTEM CALL MONITORING;

SECURITY OF DATA;

EID: 14844297052     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1030083.1030126     Document Type: Conference Paper

References (21)

1. C. Collberg, C. Thomborson and D. Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the ACM Symposium on Principles of Programming Languages, January 1998.
2. H. Feng, J. Giffin, Y. Huang, S. Jha, W. Lee and B. Miller. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, May 2004.
3. H. Feng, O. Kolesnikov, P. Fogla, W. Lee and W. Gong. Anomaly detection using call stack information. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, pages 62-75, May 2003.
4. S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff. A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 120-128, May 1996.
5. D. Gao, M. K. Reiter and D. Song. On gray-box program tracking for anomaly detection. In Proceedings of the 13th USENIX Security Symposium, pages 103-118, August 2004.
6. J. Giffin, S. Jha and B. Miller. Detecting manipulated remote call streams. In Proceedings of the 11th USENIX Security Symposium, August 2002.
7. J. Giffin, S. Jha and B. Miller. Efficient context-sensitive intrusion detection. In Proceeding of Symposium on Network and Distributed System Security, Febuary 2004.
8. C. Kruegel, D. Mutz, F. Valeur and G. Vigna. On the detection of anomalous system call arguments. In Proceeding of ESORICS 2003, October 2003.
9. X. Lu. A Linux executable editing library. Master's Thesis, Computer and Information Science, National Unviersity of Singpaore. 1999.
10. M. Prasad and T. Chiueh. A binary rewriting defense against stack based buffer overflow attacks. In USENIX Annual Technical Conference, General Track, June 2003.
11. N. Provos. Improving host security with system call policies. In Proceeding of the 12th USENIX Security Symposium, August 2003.
12. N. Provos, M. Friedl and P. Honeyman. Preventing privilege escalation. In Proceeding of the 12th USENIX Security Symposium, August 2003.
13. T. Romer, G. Voelker, D. Lee, A. Wolman, W. Wong, H. Levy, B. Bershad and B. Chen. Instrumentation and optimization of Win32/Intel executables using etch. In Proceeding of the USENIX Windows NT workshop, August 1997.
14. B. Schwarz, S. Debray and G. Andrews. Disassembly of executable code revisited. In Proceeding of Working Conference on Reverse Engineering, pages 45-54, October 2002.
15. R. Sekar, M. Bendre, D. Dhurjati and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, pages 144-155, May 2001.
16. K. Tan and R. Maxion. "Why 6?" - Denning the operational limits of stide, an anomaly-based intrusion detector. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 188-201, May 2002.
17. D. Wagner. Janus: an approach for confinement of untrusted applications. Technical Report CSD-99-1056, Department of Computer Science, University of California at Berkeley, August 1999.
18. D. Wagner and D. Dean. Intrusion detection via static analysis. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, pages 156-168, May 2001.
19. R. Wahbe, S. Lucco, T. E. Anderson and S. L. Graham. Efficient software-based fault isolation. In Proceeding of the Symposium on Operating System Principles, 1993.
20. A. Wespi, M. Dacier and H. Debar. An intrusion-detection system based on the Teiresias pattern-discovery algorithm. In Proceedings of the 1999 European Institute for Computer Anti-Virus Research Conference, 1999.
21. A. Wespi, M. Dacier and H. Debar. Intrusion detection using variable-length audit trail patterns. In Proceedings of the 2000 Recent Advances in Intrusion Detection, pages 110-129, October 2000.