Anagram: A content anomaly detector resistant to mimicry attack

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 4219 LNCS, Issue , 2006, Pages 226-248

  Wang, Ke ^a   Parekh, Janak J ^a   Stolfo, Salvatore J ^a  

^a Columbia University ^*  (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CORRELATION METHODS; DETECTORS; FEEDBACK; MATHEMATICAL MODELS; SENSORS;

BLOOM FILTERS; NETWORK PACKET PAYLOADS; SEMI-SUPERVISED TRAINING;

COMPUTER CRIME;

EID: 33750335757     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/11856214_12     Document Type: Conference Paper

References (39)

1. Kolesnikov, O., D. Dagon, and W. Lee, Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, in USENIX Security Symposium. 2006: Vancouver, BC, Canada.
2. Moore, D., et al. Internet Quarantine: Requirements for Containing Self-Propagating Code, in INFOCOM. 2003.
3. Staniford-Chen, S., V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time, in USENIX Security. 2002.
4. Christodorescu, M. and S. Jha. Static Analysis of Executables to Detect Malicious Patterns, in USENIX Security Symposium. 2003. Washington, D.C.
5. Vargiya, R. and P. Chan. Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection, in ICDM Workshop on Data Mining for Computer Security (DMSEC). 2003. Melbourne, FL.
6. Kruegel, C., et al. Polymorphic Worm Detection Using Structural Information of Executables, in Symposium on Recent Advances in Intrusion Detection. 2005. Seattle, WA.
7. Sekar, R., et al. Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions, in ACM Conference on Computer and Communications Security. 2002. Washington, D.C.
8. Kruegel, C., T. Toth, and E. Kirda. Service Specific Anomaly Detection for Network Intrusion Detection, in Symposium on Applied Computing (SAC). 2002. Madrid, Spain.
9. Wang, X., et al. SigFree: A Signature-free Buffer Overflow Attack Blocker, in USENIX Security. 2006. Boston, MA.
10. Wang, K. and S.J. Stolfo. Anomalous Payload-based Network Intrusion Detection, in Symposium on Recent Advances in Intrusion Detection. 2004. Sophia Antipolis, France.
11. Wang, K., G. Cretu, and S.J. Stolfo. Anomalous Payload-based Worm Detection and Signature Generation, in Symposium on Recent Advances in Intrusion Detection. 2005. Seattle, WA.
12. SourceFire Inc. Snort rulesets. 2006 [cited 2006 April 4]; Available from: http://www.snort.org/pub-bin/downloads.cgi.
13. Locasto, M.E., S. Sidiroglou, and A.D. Keromytis. Application Communities: Using Monoculture for Dependability, in HotDep. 2005.
14. Locasto, M.E., S. Sidiroglou, and A.D. Keromytis. Software Self-Healing Using Collaborative Application Communities, in Internet Society (ISOC) Symposium on Network and Distributed Systems Security. 2006. San Diego, CA.
15. Marceau, C. Characterizing the Behavior of a Program Using Multiple-Length N-grams. in New Security Paradigms Workshop. 2000. Cork, Ireland.
16. Forrest, S., et al. A Sense of Self for Unix Processes, in IEEE Symposium on Security and Privacy. 1996.
17. Tan, K.M.C. and R.A. Maxion. Why 6? Defining the Operational Limits of slide, an Anomaly-Based Intrusion Detector, in IEEE Symposium on Security and Privacy. 2002. Berkeley, CA.
18. Crandall, J.R., et al. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits, in ACM Conference on Computer and Communications Security. 2005. Alexandria, VA.
19. Newsome, J., B. Karp, and D. Song. Polygraph: Automatically Generating Signatures. for Polymorphic Worms, in IEEE Security and Privacy. 2005. Oakland, CA.
20. Singh, S., et al. Automated Worm Fingerprinting, in 6th Symposium on Operating Systems Design and Implementation (OSDI '04). 2004. San Francisco, CA.
21. Bloom, B.H., Space/time trade-offs in Hash Coding with Allowable Errors. Communications of the ACM, 1970.13(7): p. 422-426.
22. Naor, M. and M. Yung. Universal One-Way Hash Functions and their Cryptographic Applications, in ACM Symposium on Theory of Computing. 1989. Seattle, WA.
23. Parekh, J.J., K. Wang, and S.J. Stolfo. Privacy-Preserving Payload-Based Correlation for Accurate Malicious Traffic Detection, in Large-Scale Attack Detection, Workshop at SIGCOMM. 2006. Pisa, Italy.
24. Detristan, T., et al. Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack 2003 [cited 2006 March 28]; Available from: http://www.phrack.org/show.php?p=61&a=9.
25. Barreno, M., et al. Can Machine Learning Be Secure? in ASIACCS. 2006.
26. Cowan, C., et al. StackGuard: Automatic Adaptive Detection and Prevention of BufferOverflow Attacks, in USENIX Security Symposium. 1998. San Antonio, TX.
27. Sidiroglou, S., et al. Building a Reactive Immune System for Software Services, in USENIX. 2005. Anaheim, CA.
28. Sidiroglou, S., G. Giovanidis, and A.D. Keromytis. A Dynamic Mechanism for Recovering from Buffer Overflow Attacks, in 8th Information Security Conference. 2005. Singapore.
29. Locasto, M.E., et al. FLIPS: Hybrid Adaptive Intrusion Prevention, in Symposium on Recent Advances in Intrusion Detection. 2005. Seattle, W A.
30. Locasto, M.E., M. Burnside, and A.D. Keromytis, Bloodhound: Searching Out Malicious Input in Network Flows for Automatic Repair Validation. 2006, Columbia University Department of Computer Science: New York, NY.
31. Kreibich, C. and J. Crowcroft. Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. in ACM Workshop on Hot Topics in Networks. 2003. Boston, MA.
32. Singh, S., et al. The EarlyBird System for Real-Time Detection of Unknown Worms, in ACM Workshop on Hot Topics in Networks. 2003. Boston, MA.
33. Kim, H.-A. and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection, in USENIX Security Symposium. 2004. San Diego, CA.
34. Wang, HJ., et al. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. in ACM SIGCOMM. 2004.
35. Liang, Z. and R. Sekar. Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecing Servers, in ACM Conference on Computer and Communications Security. 2005. Alexandria, VA.
36. K2. ADMmutate. 2001 [cited 2006 March 29]; Available from: http://www.ktwo.ca/security.html.
37. Wagner, D. and D. Dean. Intrusion Detection via Static Analysis, in IEEE Security and Privacy. 2001. Oakland, CA.
38. Wagner, D. and P. Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. in ACM CCS. 2002.
39. Tan, K.M.C., K.S. Killourhy, and R.A. Maxion. Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits, in Symposium on Recent Advances in Intrusion Detection. 2002. Zurich, Switzerland.