Exploiting execution context for the detection of anomalous system calls

Authors:
Darren Mutz;William Robertson;Giovanni Vigna;Richard Kemmerer
Affiliations:
Department of Computer Science, University of California, Santa Barbara;Department of Computer Science, University of California, Santa Barbara;Department of Computer Science, University of California, Santa Barbara;Department of Computer Science, University of California, Santa Barbara
Venue:
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Year:
2007

Citing 19
Cited 11

Exploiting hardware performance counters with flow and context sensitive profiling

Proceedings of the ACM SIGPLAN 1997 conference on Programming language design and implementation
Interprocedural pointer alias analysis

ACM Transactions on Programming Languages and Systems (TOPLAS)
Mimicry attacks on host-based intrusion detection systems

Proceedings of the 9th ACM conference on Computer and communications security
Inducing Probabilistic Grammars by Bayesian Model Merging

ICGI '94 Proceedings of the Second International Colloquium on Grammatical Inference and Applications
Hidden Markov Model} Induction by Bayesian Model Merging

Advances in Neural Information Processing Systems 5, [NIPS Conference]
Learning Fingerprints for a Database Intrusion Detection System

ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Detecting Manipulated Remote Call Streams

Proceedings of the 11th USENIX Security Symposium
Anomaly Detection Using Call Stack Information

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Model-carrying code: a practical approach for safe execution of untrusted applications

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Bayesian Event Classification for Intrusion Detection

ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Importance of heap specialization in pointer analysis

Proceedings of the 5th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Gray-box extraction of execution graphs for anomaly detection

Proceedings of the 11th ACM conference on Computer and communications security
Anomalous system call detection

ACM Transactions on Information and System Security (TISSEC)
Context-sensitive multi-model anomaly detection

Context-sensitive multi-model anomaly detection
On gray-box program tracking for anomaly detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Automating mimicry attacks using static binary analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14

Efficiently tracking application interactions using lightweight virtualization

Proceedings of the 1st ACM workshop on Virtual machine security
Return Value Predictability Profiles for Self---healing

IWSEC '08 Proceedings of the 3rd International Workshop on Security: Advances in Information and Computer Security
Efficient, context-sensitive detection of real-world semantic attacks

PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
Malicious shellcode detection with virtual memory snapshots

INFOCOM'10 Proceedings of the 29th conference on Information communications
Enhancing Intrusion Detection System with proximity information

International Journal of Security and Networks
Operating system interface obfuscation and the revealing of hidden operations

DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Artificial intelligence and the future of cybersecurity

Proceedings of the 4th ACM workshop on Security and artificial intelligence
On leveraging stochastic models for remote attestation

INTRUST'10 Proceedings of the Second international conference on Trusted Systems
Taint-enhanced anomaly detection

ICISS'11 Proceedings of the 7th international conference on Information Systems Security
A sense of others: behavioral attestation of UNIX processes on remote platforms

Proceedings of the 6th International Conference on Ubiquitous Information Management and Communication
Realization of dynamic behavior using remotely verifiable n-call slides in Unix process execution trace

Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication

Quantified Score

Hi-index	0.00

Visualization

Abstract

Attacks against privileged applications can be detected by analyzing the stream of system calls issued during process execution. In the last few years, several approaches have been proposed to detect anomalous system calls. These approaches are mostly based on modeling acceptable system call sequences. Unfortunately, the techniques proposed so far are either vulnerable to certain evasion attacks or are too expensive to be practical. This paper presents a novel approach to the analysis of system calls that uses a composition of dynamic analysis and learning techniques to characterize anomalous system call invocations in terms of both the invocation context and the parameters passed to the system calls. Our technique provides a more precise detection model with respect to solutions proposed previously, and, in addition, it is able to detect data modification attacks, which cannot be detected using only system call sequence analysis.