The weighted majority algorithm
Information and Computation
Efficient learning of typical finite automata from random walks
Information and Computation
ICGI '98 Proceedings of the 4th International Colloquium on Grammatical Inference
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Estimation of Dependences Based on Empirical Data: Springer Series in Statistics (Springer Series in Statistics)
Automatic requirement extraction from test cases
RV'10 Proceedings of the First international conference on Runtime verification
A gray-box DPDA-based intrusion detection technique using system-call monitoring
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Leveraging speculative architectures for runtime program validation
ACM Transactions on Embedded Computing Systems (TECS)
PREC: practical root exploit containment for android devices
Proceedings of the 4th ACM conference on Data and application security and privacy
Hi-index | 0.01 |
The use of program execution traces to detect intrusions has proven to be a successful strategy. Existing systems that employ this approach are anomaly detectors, meaning that they model a program's normal behavior and signal deviations from that behavior. Unfortunately, many program-based exploits of NT systems use specialized malicious executables. Anomaly detection systems cannot deal with such programs because there is no standard of "normalcy" that they deviate from. This paper is a preliminary report on an attempt to remedy that situation. We report on a prototype system that learns to identify specific program behaviors. Though the goal is to identify malicious behavior, in this paper we report on experiments seeking to identify the behavior of the web-browser, since we did not have enough exemplars of malicious behavior to use as training data. Using automatically generated finite automata, we search for features in execution traces that allow us to distinguish browsers from other programs. In our experiments, we find that this technique does, in fact, allow us to distinguish traces Internet Explorer from traces of programs that are not web browsers, after training with Netscape and a different set of non-browsers.