Efficient software-based fault isolation
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Detecting Manipulated Remote Call Streams
Proceedings of the 11th USENIX Security Symposium
Secure Execution via Program Shepherding
Proceedings of the 11th USENIX Security Symposium
Hiding Intrusions: From the Abnormal to the Normal and Beyond
IH '02 Revised Papers from the 5th International Workshop on Information Hiding
FTCS '99 Proceedings of the Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing
"Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Disassembly of Executable Code Revisited
WCRE '02 Proceedings of the Ninth Working Conference on Reverse Engineering (WCRE'02)
Countering code-injection attacks with instruction-set randomization
Proceedings of the 10th ACM conference on Computer and communications security
Address obfuscation: an efficient approach to combat a board range of memory error exploits
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Preventing privilege escalation
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Improving host security with system call policies
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Instrumentation and optimization of Win32/intel executables using Etch
NT'97 Proceedings of the USENIX Windows NT Workshop on The USENIX Windows NT Workshop 1997
Environment-sensitive intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Gray-box extraction of execution graphs for anomaly detection
Proceedings of the 11th ACM conference on Computer and communications security
Anomalous path detection with hardware support
Proceedings of the 2005 international conference on Compilers, architectures and synthesis for embedded systems
ASM: application security monitor
ACM SIGARCH Computer Architecture News - Special issue on the 2005 workshop on binary instrumentation and application
NSPW '05 Proceedings of the 2005 workshop on New security paradigms
Proceedings of the 1st workshop on Architectural and system support for improving software dependability
Memory Protection through Dynamic Access Control
Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
Correlating multi-session attacks via replay
HOTDEP'06 Proceedings of the 2nd conference on Hot Topics in System Dependability - Volume 2
Automating mimicry attacks using static binary analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Weighting versus pruning in rule validation for detecting network and host anomalies
Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining
An adaptive expert system approach for intrusion detection
International Journal of Security and Networks
A practical mimicry attack against powerful system-call monitors
Proceedings of the 2008 ACM symposium on Information, computer and communications security
The Long-Short-Key Primitive and Its Applications to Key Security
IWSEC '08 Proceedings of the 3rd International Workshop on Security: Advances in Information and Computer Security
Automatically Adapting a Trained Anomaly Detector to Software Patches
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Exploiting Temporal Persistence to Detect Covert Botnet Channels
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Exploiting execution context for the detection of anomalous system calls
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Understanding precision in host based intrusion detection: formal analysis and practical models
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Correlating multi-session attacks via replay
HotDep'06 Proceedings of the Second conference on Hot topics in system dependability
Virtual machine monitor-based lightweight intrusion detection
ACM SIGOPS Operating Systems Review
A gray-box DPDA-based intrusion detection technique using system-call monitoring
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Behavioral distance for intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Improving host-based IDS with argument abstraction to prevent mimicry attacks
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Environment-sensitive intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Behavioral distance measurement using hidden markov models
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Automated discovery of mimicry attacks
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Proceedings of the 34th International Conference on Software Engineering
Sound input filter generation for integer overflow errors
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Hi-index | 0.00 |
Many host-based anomaly detection systems monitor a process ostensibly running a known program by observing the system calls the process makes. Numerous improvements to the precision of this approach have been proposed, such as tracking system call sequences, and various "gray-box" extensions such as examining the program counter or return addresses on the stack when system calls are made. In this paper, we perform the first systematic study of a wide spectrum of such methods. We show that prior approaches can be organized along three axes, revealing new possibilities for system-call-based program tracking. Through an empirical analysis of this design space, we shed light on the benefits and costs of various points in the space and identify new regions that appear to outperform prior approaches. In separate contributions, we demonstrate novel mimicry attacks on a recent proposal using return addresses for system-call-based program tracking, and then suggest randomization techniques to make such attacks more difficult.