A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
Filters
A practical mimicry attack against powerful system-call monitors
2008
Proceedings of the 2008 ACM symposium on Information, computer and communications security - ASIACCS '08
Preserved Fulltext
Mimicry attacks may execute a sequence of dozens of system calls in order to evade detection. ...
Mimicry attacks attempt to evade system-call monitoring IDS by executing innocuous-looking sequences of system calls that accomplish the attacker's goals. ...
Practical system-call monitors accept a superset of T (P ) defined above. ...
doi:10.1145/1368310.1368334
dblp:conf/ccs/ParampalliSJ08
fatcat:rudzphma3nfktiq326chgkuu3m
Mimicry Attacks Demystified: What Can Attackers Do to Evade Detection?
2008
2008 Sixth Annual Conference on Privacy, Security and Trust
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
If such an attack can be found, it implies that the target detector is vulnerable against mimicry attacks. ...
On the other hand, in this work, we investigate the source of anomalies in both the preamble and the exploit components against two anomaly detectors that monitor four vulnerable UNIX applications. ...
The first author is a recipient of a Killam pre-doctoral scholarship. All research was conducted at Dalhousie NIMS Laboratory, http://www.cs.dal.ca/projectx/. ...
doi:10.1109/pst.2008.25
dblp:conf/pst/KayacikZ08
fatcat:o5kxzntkprfmfpycmrfigkiora
The Evolution of System-Call Monitoring
2008
2008 Annual Computer Security Applications Conference (ACSAC)
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
The paper discusses the biological principles illustrated by the method, followed by a brief review of how system call monitoring was used in anomaly intrusion detection and the results that were obtained ...
The paper reviews one thread of this active research area, focusing on system-call monitoring and its application to anomaly intrusion detection and response. ...
The authors gratefully acknowledge the many people who encouraged and assisted us during the development of the original system call project. ...
doi:10.1109/acsac.2008.54
dblp:conf/acsac/ForrestAHS08
fatcat:bpfega77lvhnrgx235mj2iutla
Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths
[chapter]
2004
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
We describe our design and implementation of waypoints and present results showing that waypoint-based anomaly monitors can detect a subset of mimicry attacks and impossible paths. ...
Defense against these attacks emphasizes preventing attacking code from being introduced to the system and detecting or preventing execution of the injected code. ...
, while a local mimicry attack uses the legal system calls of only the running function. ...
doi:10.1007/978-3-540-30143-1_2
fatcat:acp37bhmfvbhxnbi5md6iziady
Security Evaluation of a Banking Fraud Analysis System
2018
ACM Transactions on Privacy and Security
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL.
The file type is application/pdf.
To this end, we design and implement a proof-of-concept attack tool that performs mimicry attacks, emulating a sophisticated attacker that cloaks frauds to avoid detection. ...
and its security against evasive attacks. ...
to the effect of an attack. [30] proposed a mimicry attack methodology against "powerful system call monitors", detector that has full knowledge of the system call parameters as well as their roles in ...
doi:10.1145/3178370
fatcat:tip2pycnmnatlokaawfpqrs2py
Guarded models for intrusion detection
2007
Proceedings of the 2007 workshop on Programming languages and analysis for security - PLAS '07
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL.
The file type is application/pdf.
However, the weakness of these systems is that they often rely on overly abstracted models that reflect only the control flow structure of programs, and therefore are subject to so-called "mimicry attacks ...
Our model is a generalization of previous models that offers no false alarms, a very low monitoring overhead, and is automatically generated. ...
Rance Delong were a source of many stimulating discussions about this work. ...
doi:10.1145/1255329.1255345
dblp:conf/pldi/Saidi07
fatcat:phohfrsdkzelzgyyptdtxa453y
A Formal Framework for Program Anomaly Detection
[chapter]
2015
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
Forrest et al. summarized existing methods from the perspective of system call monitoring [21]. Feng et al. formalized automaton based methods in [19]. ...
Sharif et al. proved that any system call sequence based method can be simulated by a control-flow based method [52]. ...
However, an attacker can always construct a mimicry attack against any realworld program anomaly detection system. ...
doi:10.1007/978-3-319-26362-5_13
fatcat:4qcygxknqjh45meygssx346vnm
Unsupervised Anomaly-Based Malware Detection Using Hardware Features
[chapter]
2014
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2016; you can also visit the original URL.
The file type is application/pdf.
We show that detection of real-world exploitation of popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform works well in practice. ...
This allows us to detect a wider range of malware, even zero days. ...
This work is supported by grants FA 865011C7190, FA 87501020253, CCF/SaTC 1054844 and a fellowship from the Alfred P. Sloan Foundation. ...
doi:10.1007/978-3-319-11379-1_6
fatcat:67z7oo2r5rge7b63tvkmdfmnym
Behavioral Distance for Intrusion Detection
[chapter]
2006
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2005; you can also visit the original URL.
The file type is application/pdf.
We propose a measure of behavioral distance and a realization of this measure using the system calls emitted by processes. ...
We explore behavioral distance as a means to detect an attack on one process that causes its behavior to deviate from that of another. ...
Resilience against Mimicry Attacks Section 4.2 shows that legitimate requests to the replicas result in system call sequences with small behavioral distances. ...
doi:10.1007/11663812_4
fatcat:q5j4ys6ubvgyxcd3vhwt5shrai
Behavioral Distance Measurement Using Hidden Markov Models
[chapter]
2006
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2010; you can also visit the original URL.
The file type is application/pdf.
We also empirically evaluate the intrusion detection capability of our proposal when used to measure the distance between the system-call behaviors of diverse web servers. ...
In this paper we propose a new approach to behavioral distance calculation using a new type of Hidden Markov Model. ...
Models for detecting anomalous system calls typically monitor the system-call numbers but not their arguments, and so a mimicry attack can issue system calls that are consistent with the model but for ...
doi:10.1007/11856214_2
fatcat:odhrqmsqr5hdppmqgmzrowrxgq
Unsupervised Anomaly-based Malware Detection using Hardware Features
[article]
2014
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL.
The file type is application/pdf.
Other Versions
These detectors belong to a class of detectors known as signature-based detectors as they catch malware by comparing a program's execution pattern (signature) to execution patterns of known malware programs ...
In this work, we propose a new class of detectors - anomaly-based hardware malware detectors - that do not require signatures for malware detection, and thus can catch a wider range of malware including ...
As such this represents the most powerful attack against our detection approach. ...
arXiv:1403.1631v2
fatcat:ozxpdxdjmfbojgjfzczboxfdj4
Hardware-Based Probabilistic Threat Detection and Estimation for Embedded Systems
2018
2018 IEEE 36th International Conference on Computer Design (ICCD)
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
Timing-based anomaly detection detects malware by monitoring the system's internal timing, which offers unique protection against mimicry malware compared to sequence-based anomaly detection. ...
However, previous timing-based anomaly detection methods focus on each operation independently at the granularity of tasks, function calls, system calls, or basic blocks. ...
However, sequence-based anomaly detection does not protect against mimicry attacks. Wagner et al. ...
doi:10.1109/iccd.2018.00084
dblp:conf/iccd/CarreonLL18
fatcat:hgbuffyq4zhldibwyghmevyjpu
Beyond Output Voting: Detecting Compromised Replicas Using HMM-Based Behavioral Distance
2009
IEEE Transactions on Dependable and Secure Computing
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2009; you can also visit the original URL.
The file type is application/pdf.
"Behavioral distance," by which two diverse replicas processing the same inputs are continually monitored to detect divergence in their low-level (system-call) behaviors and hence potentially the compromise ...
of one of them, has been proposed for detecting mimicry attacks. ...
calls, it should better defend against mimicry attacks than the prior ED-based approach [25] . ...
doi:10.1109/tdsc.2008.39
fatcat:kgi4bls2jbbxredeoww3wvj7ey
Research about DoS Attack against ICPS
2019
Sensors
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL.
The file type is application/pdf.
Then, a detection method and a mimicry security switch strategy are proposed to defend against malicious DoS attacks and bring the ICPS under attack back to normal. ...
This paper studies denial-of-services (DoS) attacks against industrial cyber-physical systems (ICPSs) for which we built a proper ICPS model and attack model. ...
In [15] , the authors do a lot of work about cyber-physical systems, supply a mathematical framework of the systems' attacks and monitors, present some fundamental monitoring limitations from a system-theoretic ...
doi:10.3390/s19071542
fatcat:7c6fjftzijbbvhgfiqpx3esfl4
Detecting Code Reuse Attacks with a Model of Conformant Program Execution
[chapter]
2014
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
We present a systematic approach based on first principles for the efficient, robust detection of these attacks; our work enforces expected program behavior instead of defending against anticipated attacks ...
To provide an efficient and adoptable solution, we also define observed conformant program execution, which validates program state at system call invocations; we demonstrate that this relaxed model is ...
We note that mimicry attacks [33, 42] allow an attacker to subvert system call monitoring by ensuring that both the call stack of each system call and the sequence of system calls made by a compromised ...
doi:10.1007/978-3-319-04897-0_1
fatcat:j2orydo2qjeqhf3kmn22misxba
« Previous
Showing results 1 — 15 out of 2,548 results