Practical Unix and Internet security (2nd ed.)
Practical Unix and Internet security (2nd ed.)
Remus: a security-enhanced operating system
ACM Transactions on Information and System Security (TISSEC)
Foundations of Computer Science
Foundations of Computer Science
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Operating system stability and security through process homeostasis
Operating system stability and security through process homeostasis
Automated response using system-call delays
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Improving host security with system call policies
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
On gray-box program tracking for anomaly detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Intrusion detection using sequences of system calls
Journal of Computer Security
Undermining an anomaly-based intrusion detection system using common exploits
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Determining the operational limits of an anomaly-based intrusion detector
IEEE Journal on Selected Areas in Communications
Timing considerations in detecting resource starvation attacks using statistical profiles
International Journal of Electronic Security and Digital Forensics
Enhancing Intrusion Detection System with proximity information
International Journal of Security and Networks
Masquerade attacks based on user's profile
Journal of Systems and Software
| Hi-index | 0.00 |
A popular class of host-based Intrusion Detection Systems (IDS) are those based on comparing the system call trace of a process against a set of k-grams. However, the detection mechanism in such IDS can be evaded by cloaking an attack as a mimicry attack. In this paper, we give an algorithm that transforms a detectable attack into a mimicry attack. We demonstrate on a number of examples that using this algorithm, mimicry attacks can be easily constructed on self-based IDS with a set of k-grams and also a more precise graph profile representation. We enhance the IDS by making use of the system call arguments and process credentials. To avoid increasing the false positives, a supplied specification is used to abstract the system call arguments and process credentials. The specification takes into account what objects in the system that can be sensitive to potential attacks, and highlights the occurrence of “dangerous” operations. With this simple extension, we show that the robustness of the IDS is increased. Our preliminary experiments show that on our example programs and attacks, it was no longer possible to construct mimicry attacks. We also demonstrate that the enhanced IDS provides resistance to a variety of common attack strategies.