IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Death, taxes, and imperfect software: surviving the inevitable
Proceedings of the 1998 workshop on New security paradigms
Temporal sequence learning and data reduction for anomaly detection
ACM Transactions on Information and System Security (TISSEC)
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Specification-based anomaly detection: a new approach for detecting network intrusions
Proceedings of the 9th ACM conference on Computer and communications security
Intrusion Detection Using Variable-Length Audit Trail Patterns
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
A Real-Time Intrusion Detection System Based on Learning Program Behavior
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Experiences with Specification-Based Intrusion Detection
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Detecting Manipulated Remote Call Streams
Proceedings of the 11th USENIX Security Symposium
Secure Execution via Program Shepherding
Proceedings of the 11th USENIX Security Symposium
Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Digging For Worms, Fishing For Answers
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Building Diverse Computer Systems
HOTOS '97 Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI)
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Temporal Signatures for Intrusion Detection
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Logic Induction of Valid Behavior Specifications for Intrusion Detection
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Countering code-injection attacks with instruction-set randomization
Proceedings of the 10th ACM conference on Computer and communications security
Randomized instruction set emulation to disrupt binary code injection attacks
Proceedings of the 10th ACM conference on Computer and communications security
Bayesian Event Classification for Intrusion Detection
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Intrusion Detection: A Bioinformatics Approach
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Automated response using system-call delays
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Address obfuscation: an efficient approach to combat a board range of memory error exploits
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Data mining approaches for intrusion detection
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Intrusion detection using sequences of system calls
Journal of Computer Security
Undermining an anomaly-based intrusion detection system using common exploits
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Accurate buffer overflow detection via abstract payload execution
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
A sense of self for Unix processes
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
| Hi-index | 0.00 |
Monitoring at the system-call-level interface has been an important tool in intrusion detection. In this paper, we identify the predictable nature of this monitoring mechanism as one root cause that makes system-call-based intrusion detection systems vulnerable to mimicry attacks. We propose random inspection as a complementary monitoring mechanism to overcome this weakness. We demonstrate that random-inspection-based intrusion detection is inherently effective against mimicry attacks targeted at system-call-based systems. Furthermore, random-inspection-based intrusion detection systems are also very strong stand-alone IDS systems. Our proposed approach is particularly suitable for implementation on the Windows operating system that is known to pose various implementation difficulties for system-call-based systems. To demonstrate the usefulness of random inspection, we have built a working prototype tool: the WindRain IDS. WindRain detects code injection attacks based on information collected at randominspection points with acceptably low overhead. Our experiments show that WindRain is very effective in detecting several popular attacks against Windows. The performance overhead of WindRain compares favorably to many other intrusion detection systems.