Model-Carrying Code (MCC): a new paradigm for mobile-code security
Proceedings of the 2001 workshop on New security paradigms
Simple, state-based approaches to program-based anomaly detection
ACM Transactions on Information and System Security (TISSEC)
Learning nonstationary models of normal network traffic for detecting novel attacks
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Buffer overflow and format string overflow vulnerabilities
Software—Practice & Experience - Special issue: Security software
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Model-carrying code: a practical approach for safe execution of untrusted applications
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Network traffic anomaly detection based on packet bytes
Proceedings of the 2003 ACM symposium on Applied computing
Towards NIC-based intrusion detection
Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining
SELF: a transparent security extension for ELF binaries
Proceedings of the 2003 workshop on New security paradigms
MORPHEUS: motif oriented representations to purge hostile events from unlabeled sequences
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Gray-box extraction of execution graphs for anomaly detection
Proceedings of the 11th ACM conference on Computer and communications security
Anomalous path detection with hardware support
Proceedings of the 2005 international conference on Compilers, architectures and synthesis for embedded systems
Hardware support for code integrity in embedded processors
Proceedings of the 2005 international conference on Compilers, architectures and synthesis for embedded systems
A multi-model approach to the detection of web-based attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Fast and automated generation of attack signatures: a basis for building self-protecting servers
Proceedings of the 12th ACM conference on Computer and communications security
Proceedings of the 12th ACM conference on Computer and communications security
The design and implementation of a self-healing database system
Journal of Intelligent Information Systems - Special issue: Database and applications security
System Call Monitoring Using Authenticated System Calls
IEEE Transactions on Dependable and Secure Computing
HeapMD: identifying heap-based bugs using anomaly detection
Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection
Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
Memory Protection through Dynamic Access Control
Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
Factor-analysis based anomaly detection and clustering
Decision Support Systems
NetHost-sensor: Monitoring a target host's application via system calls
Information Security Tech. Report
Learning DFA representations of HTTP for protecting web applications
Computer Networks: The International Journal of Computer and Telecommunications Networking
CuPIDS: An exploration of highly focused, co-processor-based information system protection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Automatic high-performance reconstruction and recovery
Computer Networks: The International Journal of Computer and Telecommunications Networking
RemoteFS: accessing remote file systems for desktop grid computing
Proceedings of the 2007 ACM symposium on Applied computing
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
On gray-box program tracking for anomaly detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Automating mimicry attacks using static binary analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Non-control-data attacks are realistic threats
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Protecting against unexpected system calls
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Analysis of Computer Intrusions Using Sequences of Function Calls
IEEE Transactions on Dependable and Secure Computing
Weighting versus pruning in rule validation for detecting network and host anomalies
Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining
Mining specifications of malicious behavior
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Programming asynchronous layers with CLARITY
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Trace anomalies as precursors of field failures: an empirical study
Empirical Software Engineering
Information Security Tech. Report
Mining specifications of malicious behavior
ISEC '08 Proceedings of the 1st India software engineering conference
Switchblade: enforcing dynamic personalized system call models
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Control of system calls from outside of virtual machines
Proceedings of the 2008 ACM symposium on Applied computing
A practical mimicry attack against powerful system-call monitors
Proceedings of the 2008 ACM symposium on Information, computer and communications security
Seeing the invisible: forensic uses of anomaly detection and machine learning
ACM SIGOPS Operating Systems Review
Prevention of information attacks by run-time detection of self-replication in computer codes
Journal of Computer Security
Behavioral detection of malware on mobile handsets
Proceedings of the 6th international conference on Mobile systems, applications, and services
Detecting energy-greedy anomalies and mobile malware variants
Proceedings of the 6th international conference on Mobile systems, applications, and services
High-order Markov kernels for intrusion detection
Neurocomputing
Static Analysis on x86 Executables for Preventing Automatic Mimicry Attacks
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Signature Generation and Detection of Malware Families
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
System Call API Obfuscation (Extended Abstract)
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Containment of network worms via per-process rate-limiting
Proceedings of the 4th international conference on Security and privacy in communication netowrks
Cooperative Intrusion Detection Model Based on State Transition Analysis
Computer Supported Cooperative Work in Design IV
Hierarchical Classifiers for Complex Spatio-temporal Concepts
Transactions on Rough Sets IX
An Automata Based Authorship Identification System
New Frontiers in Applied Data Mining
Instruction-level countermeasures against stack-based buffer overflow attacks
Proceedings of the 1st EuroSys Workshop on Virtualization Technology for Dependable Systems
Transparent Process Monitoring in a Virtual Environment
Electronic Notes in Theoretical Computer Science (ENTCS)
A static API birthmark for Windows binary executables
Journal of Systems and Software
Hardware-assisted run-time monitoring for secure program execution on embedded processors
IEEE Transactions on Very Large Scale Integration (VLSI) Systems
Selecting and Improving System Call Models for Anomaly Detection
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
The future of biologically-inspired security: is there anything left to learn?
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
Control-flow integrity principles, implementations, and applications
ACM Transactions on Information and System Security (TISSEC)
Indirect Branch Validation Unit
Microprocessors & Microsystems
A multi-model approach to the detection of web-based attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Fides: remote anomaly-based cheat detection using client emulation
Proceedings of the 16th ACM conference on Computer and communications security
Automatically Adapting a Trained Anomaly Detector to Software Patches
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Application Data Consistency Checking for Anomaly Based Intrusion Detection
SSS '09 Proceedings of the 11th International Symposium on Stabilization, Safety, and Security of Distributed Systems
Exploiting execution context for the detection of anomalous system calls
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Understanding precision in host based intrusion detection: formal analysis and practical models
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Swaddler: an approach for the anomaly-based detection of state violations in web applications
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
A sandbox with a dynamic policy based on execution contexts of applications
ASIAN'07 Proceedings of the 12th Asian computing science conference on Advances in computer science: computer and network security
Efficient and practical control flow monitoring for program security
ASIAN'06 Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues
Efficient, context-sensitive detection of real-world semantic attacks
PLAS '10 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security
A Framework for Large-Scale Detection of Web Site Defacements
ACM Transactions on Internet Technology (TOIT)
Automatic discovery of parasitic malware
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Behavior abstraction in malware analysis
RV'10 Proceedings of the First international conference on Runtime verification
Artificial malware immunization based on dynamically assigned sense of self
ISC'10 Proceedings of the 13th international conference on Information security
Some ideas on virtualized system security, and monitors
DPM'10/SETOP'10 Proceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security
High-order markov kernels for network intrusion detection
ICONIP'06 Proceedings of the 13th international conference on Neural information processing - Volume Part III
SLA-based complementary approach for network intrusion detection
Computer Communications
Operating system interface obfuscation and the revealing of hidden operations
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Modular behavior profiles in systems with shared libraries (short paper)
ICICS'06 Proceedings of the 8th international conference on Information and Communications Security
PAKDD'06 Proceedings of the 10th Pacific-Asia conference on Advances in Knowledge Discovery and Data Mining
Anomaly detection method based on HMMs using system call and call stack information
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
Detecting the deviations of privileged process execution
ICN'05 Proceedings of the 4th international conference on Networking - Volume Part II
A probabilistic method for detecting anomalous program behavior
WISA'04 Proceedings of the 5th international conference on Information Security Applications
Lightweight defect localization for java
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
COTS diversity based intrusion detection and application to web servers
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Behavioral distance for intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Improving host-based IDS with argument abstraction to prevent mimicry attacks
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
On random-inspection-based intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Behavioral distance measurement using hidden markov models
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Automated discovery of mimicry attacks
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
A dead-lock free self-healing algorithm for distributed transactional processes
ICISS'06 Proceedings of the Second international conference on Information Systems Security
Taint-enhanced anomaly detection
ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Argus: online statistical bug detection
FASE'06 Proceedings of the 9th international conference on Fundamental Approaches to Software Engineering
Runtime countermeasures for code injection attacks against C and C++ programs
ACM Computing Surveys (CSUR)
NORT: runtime anomaly-based monitoring of malicious behavior for windows
RV'11 Proceedings of the Second international conference on Runtime verification
Improving malware classification: bridging the static/dynamic gap
Proceedings of the 5th ACM workshop on Security and artificial intelligence
Fmeter: extracting indexable low-level system signatures by counting kernel function calls
Proceedings of the 13th International Middleware Conference
Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication
Process firewalls: protecting processes during resource access
Proceedings of the 8th ACM European Conference on Computer Systems
Automated oracles: an empirical study on cost and effectiveness
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
A mechanism for achieving a bound on execution performance of process group to limit CPU abuse
The Journal of Supercomputing
Security and protection of SCADA: a bigdata algorithmic approach
Proceedings of the 6th International Conference on Security of Information and Networks
Control-flow integrity principles, implementations, and applications
ACM Transactions on Information and System Security (TISSEC)
| Hi-index | 0.00 |
Abstract: Forrest et al. introduced a new intrusion detection approach that identifies anomalous sequences of system calls executed by programs. Since their work, anomaly detection on system call sequences has become perhaps the most successful approach for detecting novel intrusions. A natural way for learning sequences is to use a finite-state automaton (FSA). However, previous research seemed to indicate that FSA-learning is computationally expensive, that it cannot be completely automated, or that the space usage of the FSA may be excessive. We present a new approach in this paper that overcomes these difficulties. Our approach builds a compact FSA in a fully automatic and efficient manner, without requiring access to source code for programs. The space requirements for the FSA is low--of the order of a few kilobytes for typical programs. The FSA uses only a constant time per system call during the learning as well as detection period. This factor leads to low overheads for intrusion detection. Unlike many of the previous techniques, our FSA-technique can capture both short term and long term temporal relationships among system calls, and thus perform more accurate detection. For instance, the FSA can capture common program structures such as branches, joins, loops etc. This enables our approach to generalize and predict future behaviors from past behaviors. For instance, if a program executed a loop once in an execution, the FSA approach can generalize and predict that the same loop may be executed zero or more times in subsequent executions. As a result, the training periods needed for our FSA based approach are shorter. Moreover, false positives are reduced without increasing the likelihood of missing attacks. This paper describes our FSA based technique and presents a comprehensive experimental evaluation of the technique.