A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
Filters
Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths
[chapter]
2004
Lecture Notes in Computer Science
Preserved Fulltext
We describe our design and implementation of waypoints and present results showing that waypoint-based anomaly monitors can detect a subset of mimicry attacks and impossible paths. ...
Waypoints actively log trustworthy context information as the program executes, allowing our anomaly monitor to both monitor control flow and restrict system call permissions to conform to the legitimate ...
Acknowledgments We thank Kyung-suk Lhee and the anonymous referees for their helpful comments. ...
doi:10.1007/978-3-540-30143-1_2
fatcat:acp37bhmfvbhxnbi5md6iziady
A Formal Framework for Program Anomaly Detection
[chapter]
2015
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
Control-flow based metrics, such as average branching factor, are developed for evaluating specific groups of program anomaly detection methods [59] . ...
The merit of program anomaly detection is its independence from attack signatures, which enables proactive defense against new and unknown attacks. ...
The authors would like to thank Trent Jaeger, Gang Tan, R. Sekar, David Evans and Dongyan Xu for their feedback on this work. ...
doi:10.1007/978-3-319-26362-5_13
fatcat:4qcygxknqjh45meygssx346vnm
Efficient, context-sensitive detection of real-world semantic attacks
2010
Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security - PLAS '10
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2011; you can also visit the original URL.
The file type is application/pdf.
Prior work on context-sensitive anomaly detection relied on stack-walking, which incurs overheads of 50% to over 200%. ...
Anomaly detection must balance precision and sensitivity: high sensitivity leads to many benign behaviors appearing anomalous (false positives), while low sensitivity may miss attacks. ...
PCC to Jikes RVM 2.9.2; Chris Ryder for PCC bug fixes; Sam Guyer for helpful discussions; and Bert Maher, Wei Le, and the anonymous reviewers for valuable feedback on the text. ...
doi:10.1145/1814217.1814218
dblp:conf/pldi/BondSMS10
fatcat:zytihjnfcfbddiaeejuajurb3a
Taint-Enhanced Anomaly Detection
[chapter]
2011
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
., code or script injection), but their applicability to a broader range of attacks (non-control data attacks, path traversals, race condition attacks, and other unknown attacks) is limited by the need ...
Anomaly detection has been popular for a long time due to its ability to detect novel attacks. However, its practical deployment has been limited due to false positives. ...
Furthermore, it is susceptible to two types of attacks, namely mimicry [31] and impossible path execution (IPE). ...
doi:10.1007/978-3-642-25560-1_11
fatcat:i47aeqqekfepzbs5m3zcdc53om
An Anomalous Behavior Detection Method Using System Call Sequences for Distributed Application
2015
KSII Transactions on Internet and Information Systems
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2022; you can also visit the original URL.
The file type is application/pdf.
Thus, it is difficult to detect anomalous behaviors and determine the location and scope of abnormal nodes, and some attacks and misuse cannot be detected. ...
To address this problem, we introduce a method for detecting anomalous behaviors based on process algebra. We specify the architecture of the behavior detection model and the detection algorithm. ...
(c) The read or write lock operations appear in system calls, such as rlock and wlock. The method of rewriting a process expression is to create a process expression for a), b), c)-for instance, .. ...
doi:10.3837/tiis.2015.02.010
fatcat:wxrnyox36jdxppyofkgbqkhydm
UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats
[article]
2020
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
Other Versions
2020
Proceedings 2020 Network and Distributed System Security Symposium
unpublished
doi:10.14722/ndss.2020.24046 fatcat:uov5xctdezcchb2biqkyivsqqq
doi:10.14722/ndss.2020.24046 fatcat:uov5xctdezcchb2biqkyivsqqq
Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. ...
Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects real-life APT scenarios with high accuracy. ...
The goal of their work is mainly to identify important process features that are likely to be relevant to APT attacks (e.g., a process' lifetime and path information). ...
arXiv:2001.01525v1
fatcat:cljlsnrtsfamhlhtnzptydwd6i
PsycoTrace: Virtual and Transparent Monitoring of a Process Self
2009
2009 17th Euromicro International Conference on Parallel, Distributed and Network-based Processing
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
PsycoTrace is a set of tools to protect a process P from attacks that alter P self as specified by its source code. ...
We describe PsycoTrace overall architecture and focus on the run-time and introspection tools that enable the monitoring machine to check that a trace is legal and to transparently access the memory of ...
They discuss the callgraph model, built by analyzing the control-flow of the program, which is then extended to the abstract stack model to take into account impossible paths. ...
doi:10.1109/pdp.2009.45
dblp:conf/pdp/BaiardiMST09
fatcat:yoq4hhstqvf73bfns2x7opckzi
Detecting Malicious Javascript in PDF through Document Instrumentation
2014
2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
When an instrumented document is opened, the context monitoring code inside will cooperate with our runtime monitor to detect potential infection attempts in the context of Javascript execution. ...
Our approach statically extracts a set of static features and inserts context monitoring code into a document. ...
ACKNOWLEDGMENT We would like to thank the anonymous reviewers for their insightful and valuable comments. ...
doi:10.1109/dsn.2014.92
dblp:conf/dsn/LiuWS14
fatcat:ueasgwvl3bhdrfkekp7drjoljq
Semantics-aware detection of targeted attacks: a survey
2016
Journal in Computer Virology and Hacking Techniques
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2018; you can also visit the original URL.
The file type is application/pdf.
Out of 123 identified papers, 60 were found to be relevant in the context of this study. ...
To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks. ...
The financial support by the Austrian Federal Ministry of Science, Research and Economy and the National Foundation for Research, Technology and Development is gratefully acknowledged. ...
doi:10.1007/s11416-016-0273-3
fatcat:flhbpc4uwbandby2adxi62t64u
Transparent Process Monitoring in a Virtual Environment
2009
Electronical Notes in Theoretical Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
PsycoTrace is a system that integrates static and dynamic tools to protect a process from attacks that alter the process self as specified by the program source code. ...
The static tools build a context-free grammar that describes the sequences of system calls the process may issue and a set of assertions on the process state, one for each invocation. ...
The paper introduces the callgraph model, built by analyzing the control-flow of the program. Then, this model is extended to the abstract stack model to take into account impossible paths. ...
doi:10.1016/j.entcs.2009.03.016
fatcat:ysvhrpvkn5h27l63cyf4vvjlpu
Runtime Detection of Zero-Day Vulnerability Exploits in Contemporary Software Systems
[chapter]
2016
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL.
The file type is application/pdf.
This model is used at runtime to detect exploitation of unknown security vulnerabilities using anomaly detection style techniques. ...
A methodology is proposed that can be used to build a model of expected application execution paths during the software development cycle. ...
other [15] , thus at increased precision and reduced chance for mimicry attack [19] . ...
doi:10.1007/978-3-319-41483-6_24
fatcat:a3cdjtrcijav7jyek5oyfbg6ye
Results-oriented security
2011
2011 6th International Conference on Malicious and Unwanted Software
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2012; you can also visit the original URL.
The file type is application/pdf.
Current security practice is to examine incoming messages, commands, data, and executing processes for attacks that can then be countered. ...
This position paper argues that this practice is counterproductive because the number and variety of attacks are far greater than we can cope with. ...
Acknowledgements: Matt Bishop thanks the National Science Foundation for the support of grants CCF-0905503 and CNS-1049738 to the University of California at Davis. ...
doi:10.1109/malware.2011.6112325
dblp:conf/malware/BishopFR11
fatcat:rpjenhsdrreddfalmu3fxr5yxi
N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols
[chapter]
2012
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2014; you can also visit the original URL.
The file type is application/pdf.
Other attacks specifically designed to target Industrial Control Systems (ICSwhich includes of nuclear power plants, oil and gas extraction and distribution facilities) have been disclosed recently [3] ...
These attacks could not be detected by current -signature-based -detection solutions, while -at least in theory -they could be detected by state-of-the-art anomaly-based systems. ...
The research leading to these results has been supported by the Ministry of Security and Justice of the Kingdom of the Netherlands through projects Hermes, Castor and Midas and by the European Commission ...
doi:10.1007/978-3-642-33338-5_18
fatcat:bn3e2hmkvjamxlxomufc43fsti
Non-Control-Data Attacks Are Realistic Threats
2005
USENIX Security Symposium
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2022; you can also visit the original URL.
The file type is application/pdf.
Attackers are currently focused on control-data attacks, but it is clear that when control flow protection techniques shut them down, they have incentives to study and employ non-control-data attacks. ...
This paper emphasizes the importance of future research efforts to address this realistic threat. 1 Other terms are used to refer to attacks that do not alter control flow. ...
Acknowledgments We owe thanks to many people for their insightful suggestions and extensively detailed comments on the technical contents and the presentation of this paper. ...
dblp:conf/uss/Chen0S05
fatcat:wrnupggnmjb4vls6akc4vqqkq4
On the Security of Machine Learning in Malware C8C Detection
2016
ACM Computing Surveys
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2016; you can also visit the original URL.
The file type is application/pdf.
In particular, several approaches and techniques have been proposed to identify the command and control (C&C) channel that a compromised system establishes to communicate with its controller. ...
A major oversight of many of these detection techniques is the design's resilience to evasion attempts by the well-motivated attacker. ...
The technique of Collins and Reiter [2007] detects anomalies induced in a graph of protocol-specific flows by botnet control traffic. ...
doi:10.1145/3003816
fatcat:jmuklpr2bjamfgygu6rpi4ldmm
« Previous
Showing results 1 — 15 out of 284 results