2,548 Hits in 4.5 sec

A practical mimicry attack against powerful system-call monitors

Chetan Parampalli, R. Sekar, Rob Johnson
2008 Proceedings of the 2008 ACM symposium on Information, computer and communications security - ASIACCS '08  
Mimicry attacks may execute a sequence of dozens of system calls in order to evade detection.  ...  Mimicry attacks attempt to evade system-call monitoring IDS by executing innocuous-looking sequences of system calls that accomplish the attacker's goals.  ...  Practical system-call monitors accept a superset of T (P ) defined above.  ... 
doi:10.1145/1368310.1368334 dblp:conf/ccs/ParampalliSJ08 fatcat:rudzphma3nfktiq326chgkuu3m

Mimicry Attacks Demystified: What Can Attackers Do to Evade Detection?

Hilmi Günes Kayacik, A. Nur Zincir-Heywood
2008 2008 Sixth Annual Conference on Privacy, Security and Trust  
If such an attack can be found, it implies that the target detector is vulnerable against mimicry attacks.  ...  On the other hand, in this work, we investigate the source of anomalies in both the preamble and the exploit components against two anomaly detectors that monitor four vulnerable UNIX applications.  ...  The first author is a recipient of a Killam pre-doctoral scholarship. All research was conducted at Dalhousie NIMS Laboratory,  ... 
doi:10.1109/pst.2008.25 dblp:conf/pst/KayacikZ08 fatcat:o5kxzntkprfmfpycmrfigkiora

The Evolution of System-Call Monitoring

Stephanie Forrest, Steven Hofmeyr, Anil Somayaji
2008 2008 Annual Computer Security Applications Conference (ACSAC)  
The paper discusses the biological principles illustrated by the method, followed by a brief review of how system call monitoring was used in anomaly intrusion detection and the results that were obtained  ...  The paper reviews one thread of this active research area, focusing on system-call monitoring and its application to anomaly intrusion detection and response.  ...  The authors gratefully acknowledge the many people who encouraged and assisted us during the development of the original system call project.  ... 
doi:10.1109/acsac.2008.54 dblp:conf/acsac/ForrestAHS08 fatcat:bpfega77lvhnrgx235mj2iutla

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths [chapter]

Haizhi Xu, Wenliang Du, Steve J. Chapin
2004 Lecture Notes in Computer Science  
We describe our design and implementation of waypoints and present results showing that waypoint-based anomaly monitors can detect a subset of mimicry attacks and impossible paths.  ...  Defense against these attacks emphasizes preventing attacking code from being introduced to the system and detecting or preventing execution of the injected code.  ...  , while a local mimicry attack uses the legal system calls of only the running function.  ... 
doi:10.1007/978-3-540-30143-1_2 fatcat:acp37bhmfvbhxnbi5md6iziady

Security Evaluation of a Banking Fraud Analysis System

Michele Carminati, Mario Polino, Andrea Continella, Andrea Lanzi, Federico Maggi, Stefano Zanero
2018 ACM Transactions on Privacy and Security  
To this end, we design and implement a proof-of-concept attack tool that performs mimicry attacks, emulating a sophisticated attacker that cloaks frauds to avoid detection.  ...  and its security against evasive attacks.  ...  to the effect of an attack. [30] proposed a mimicry attack methodology against "powerful system call monitors", detector that has full knowledge of the system call parameters as well as their roles in  ... 
doi:10.1145/3178370 fatcat:tip2pycnmnatlokaawfpqrs2py

Guarded models for intrusion detection

Hassen Saïdi
2007 Proceedings of the 2007 workshop on Programming languages and analysis for security - PLAS '07  
However, the weakness of these systems is that they often rely on overly abstracted models that reflect only the control flow structure of programs, and therefore are subject to so-called "mimicry attacks  ...  Our model is a generalization of previous models that offers no false alarms, a very low monitoring overhead, and is automatically generated.  ...  Rance Delong were a source of many stimulating discussions about this work.  ... 
doi:10.1145/1255329.1255345 dblp:conf/pldi/Saidi07 fatcat:phohfrsdkzelzgyyptdtxa453y

A Formal Framework for Program Anomaly Detection [chapter]

Xiaokui Shu, Danfeng Yao, Barbara G. Ryder
2015 Lecture Notes in Computer Science  
Forrest et al. summarized existing methods from the perspective of system call monitoring [21]. Feng et al. formalized automaton based methods in [19].  ...  Sharif et al. proved that any system call sequence based method can be simulated by a control-flow based method [52].  ...  However, an attacker can always construct a mimicry attack against any realworld program anomaly detection system.  ... 
doi:10.1007/978-3-319-26362-5_13 fatcat:4qcygxknqjh45meygssx346vnm

Unsupervised Anomaly-Based Malware Detection Using Hardware Features [chapter]

Adrian Tang, Simha Sethumadhavan, Salvatore J. Stolfo
2014 Lecture Notes in Computer Science  
We show that detection of real-world exploitation of popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform works well in practice.  ...  This allows us to detect a wider range of malware, even zero days.  ...  This work is supported by grants FA 865011C7190, FA 87501020253, CCF/SaTC 1054844 and a fellowship from the Alfred P. Sloan Foundation.  ... 
doi:10.1007/978-3-319-11379-1_6 fatcat:67z7oo2r5rge7b63tvkmdfmnym

Behavioral Distance for Intrusion Detection [chapter]

Debin Gao, Michael K. Reiter, Dawn Song
2006 Lecture Notes in Computer Science  
We propose a measure of behavioral distance and a realization of this measure using the system calls emitted by processes.  ...  We explore behavioral distance as a means to detect an attack on one process that causes its behavior to deviate from that of another.  ...  Resilience against Mimicry Attacks Section 4.2 shows that legitimate requests to the replicas result in system call sequences with small behavioral distances.  ... 
doi:10.1007/11663812_4 fatcat:q5j4ys6ubvgyxcd3vhwt5shrai

Behavioral Distance Measurement Using Hidden Markov Models [chapter]

Debin Gao, Michael K. Reiter, Dawn Song
2006 Lecture Notes in Computer Science  
We also empirically evaluate the intrusion detection capability of our proposal when used to measure the distance between the system-call behaviors of diverse web servers.  ...  In this paper we propose a new approach to behavioral distance calculation using a new type of Hidden Markov Model.  ...  Models for detecting anomalous system calls typically monitor the system-call numbers but not their arguments, and so a mimicry attack can issue system calls that are consistent with the model but for  ... 
doi:10.1007/11856214_2 fatcat:odhrqmsqr5hdppmqgmzrowrxgq

Unsupervised Anomaly-based Malware Detection using Hardware Features [article]

Adrian Tang, Simha Sethumadhavan, Salvatore Stolfo
2014 arXiv   pre-print
These detectors belong to a class of detectors known as signature-based detectors as they catch malware by comparing a program's execution pattern (signature) to execution patterns of known malware programs  ...  In this work, we propose a new class of detectors - anomaly-based hardware malware detectors - that do not require signatures for malware detection, and thus can catch a wider range of malware including  ...  As such this represents the most powerful attack against our detection approach.  ... 
arXiv:1403.1631v2 fatcat:ozxpdxdjmfbojgjfzczboxfdj4

Hardware-Based Probabilistic Threat Detection and Estimation for Embedded Systems

Nadir Amin Carreon, Sixing Lu, Roman Lysecky
2018 2018 IEEE 36th International Conference on Computer Design (ICCD)  
Timing-based anomaly detection detects malware by monitoring the system's internal timing, which offers unique protection against mimicry malware compared to sequence-based anomaly detection.  ...  However, previous timing-based anomaly detection methods focus on each operation independently at the granularity of tasks, function calls, system calls, or basic blocks.  ...  However, sequence-based anomaly detection does not protect against mimicry attacks. Wagner et al.  ... 
doi:10.1109/iccd.2018.00084 dblp:conf/iccd/CarreonLL18 fatcat:hgbuffyq4zhldibwyghmevyjpu

Beyond Output Voting: Detecting Compromised Replicas Using HMM-Based Behavioral Distance

D. Gao, M.K. Reiter, D. Song
2009 IEEE Transactions on Dependable and Secure Computing  
"Behavioral distance," by which two diverse replicas processing the same inputs are continually monitored to detect divergence in their low-level (system-call) behaviors and hence potentially the compromise  ...  of one of them, has been proposed for detecting mimicry attacks.  ...  calls, it should better defend against mimicry attacks than the prior ED-based approach [25] .  ... 
doi:10.1109/tdsc.2008.39 fatcat:kgi4bls2jbbxredeoww3wvj7ey

Research about DoS Attack against ICPS

Jianlei Gao, Senchun Chai, Baihai Zhang, Yuanqing Xia
2019 Sensors  
Then, a detection method and a mimicry security switch strategy are proposed to defend against malicious DoS attacks and bring the ICPS under attack back to normal.  ...  This paper studies denial-of-services (DoS) attacks against industrial cyber-physical systems (ICPSs) for which we built a proper ICPS model and attack model.  ...  In [15] , the authors do a lot of work about cyber-physical systems, supply a mathematical framework of the systems' attacks and monitors, present some fundamental monitoring limitations from a system-theoretic  ... 
doi:10.3390/s19071542 fatcat:7c6fjftzijbbvhgfiqpx3esfl4

Detecting Code Reuse Attacks with a Model of Conformant Program Execution [chapter]

Emily R. Jacobson, Andrew R. Bernat, William R. Williams, Barton P. Miller
2014 Lecture Notes in Computer Science  
We present a systematic approach based on first principles for the efficient, robust detection of these attacks; our work enforces expected program behavior instead of defending against anticipated attacks  ...  To provide an efficient and adoptable solution, we also define observed conformant program execution, which validates program state at system call invocations; we demonstrate that this relaxed model is  ...  We note that mimicry attacks [33, 42] allow an attacker to subvert system call monitoring by ensuring that both the call stack of each system call and the sequence of system calls made by a compromised  ... 
doi:10.1007/978-3-319-04897-0_1 fatcat:j2orydo2qjeqhf3kmn22misxba
« Previous Showing results 1 — 15 out of 2,548 results