Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Intrusion Detection Using Variable-Length Audit Trail Patterns
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Detecting Manipulated Remote Call Streams
Proceedings of the 11th USENIX Security Symposium
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Efficient Intrusion Detection using Automaton Inlining
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Dynamic Analysis of Software Systems using Execution Pattern Mining
ICPC '06 Proceedings of the 14th IEEE International Conference on Program Comprehension
Data mining approaches for intrusion detection
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Efficient mining of iterative patterns for software specification discovery
Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining
ICTAI '07 Proceedings of the 19th IEEE International Conference on Tools with Artificial Intelligence - Volume 01
Mining specifications of malicious behavior
ISEC '08 Proceedings of the 1st India software engineering conference
A sense of self for Unix processes
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Mining parametric specifications
Proceedings of the 33rd International Conference on Software Engineering
Controlled Chaos [Internet Security]
IEEE Spectrum
Software health management: a necessity for safety critical systems
Innovations in Systems and Software Engineering
| Hi-index | 0.00 |
Protecting running programs from exploits has been the focus of many host-based intrusion detection systems. To this end various formal methods have been developed that either require manual construction of attack signatures or modelling of normal program behavior to detect exploits. In terms of the ability to discover new attacks before the infection spreads, the former approach has been found to be lacking in flexibility. Consequently, in this paper, we present an anomaly monitoring system, NORT, that verifies on-the-fly whether running programs comply to their expected normal behavior. The model of normal behavior is based on a rich set of discriminators such as minimal infrequent and maximal frequent iterative patterns of system calls, and relative entropy between distributions of system calls. Experiments run on malware samples have shown that our approach is able to effectively detect a broad range of attacks with very low overheads.