284 Hits in 9.3 sec

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths [chapter]

Haizhi Xu, Wenliang Du, Steve J. Chapin
2004 Lecture Notes in Computer Science  
We describe our design and implementation of waypoints and present results showing that waypoint-based anomaly monitors can detect a subset of mimicry attacks and impossible paths.  ...  Waypoints actively log trustworthy context information as the program executes, allowing our anomaly monitor to both monitor control flow and restrict system call permissions to conform to the legitimate  ...  Acknowledgments We thank Kyung-suk Lhee and the anonymous referees for their helpful comments.  ... 
doi:10.1007/978-3-540-30143-1_2 fatcat:acp37bhmfvbhxnbi5md6iziady

A Formal Framework for Program Anomaly Detection [chapter]

Xiaokui Shu, Danfeng Yao, Barbara G. Ryder
2015 Lecture Notes in Computer Science  
Control-flow based metrics, such as average branching factor, are developed for evaluating specific groups of program anomaly detection methods [59] .  ...  The merit of program anomaly detection is its independence from attack signatures, which enables proactive defense against new and unknown attacks.  ...  The authors would like to thank Trent Jaeger, Gang Tan, R. Sekar, David Evans and Dongyan Xu for their feedback on this work.  ... 
doi:10.1007/978-3-319-26362-5_13 fatcat:4qcygxknqjh45meygssx346vnm

Efficient, context-sensitive detection of real-world semantic attacks

Michael D. Bond, Varun Srivastava, Kathryn S. McKinley, Vitaly Shmatikov
2010 Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security - PLAS '10  
Prior work on context-sensitive anomaly detection relied on stack-walking, which incurs overheads of 50% to over 200%.  ...  Anomaly detection must balance precision and sensitivity: high sensitivity leads to many benign behaviors appearing anomalous (false positives), while low sensitivity may miss attacks.  ...  PCC to Jikes RVM 2.9.2; Chris Ryder for PCC bug fixes; Sam Guyer for helpful discussions; and Bert Maher, Wei Le, and the anonymous reviewers for valuable feedback on the text.  ... 
doi:10.1145/1814217.1814218 dblp:conf/pldi/BondSMS10 fatcat:zytihjnfcfbddiaeejuajurb3a

Taint-Enhanced Anomaly Detection [chapter]

Lorenzo Cavallaro, R. Sekar
2011 Lecture Notes in Computer Science  
., code or script injection), but their applicability to a broader range of attacks (non-control data attacks, path traversals, race condition attacks, and other unknown attacks) is limited by the need  ...  Anomaly detection has been popular for a long time due to its ability to detect novel attacks. However, its practical deployment has been limited due to false positives.  ...  Furthermore, it is susceptible to two types of attacks, namely mimicry [31] and impossible path execution (IPE).  ... 
doi:10.1007/978-3-642-25560-1_11 fatcat:i47aeqqekfepzbs5m3zcdc53om

An Anomalous Behavior Detection Method Using System Call Sequences for Distributed Application

2015 KSII Transactions on Internet and Information Systems  
Thus, it is difficult to detect anomalous behaviors and determine the location and scope of abnormal nodes, and some attacks and misuse cannot be detected.  ...  To address this problem, we introduce a method for detecting anomalous behaviors based on process algebra. We specify the architecture of the behavior detection model and the detection algorithm.  ...  (c) The read or write lock operations appear in system calls, such as rlock and wlock. The method of rewriting a process expression is to create a process expression for a), b), c)-for instance, ..  ... 
doi:10.3837/tiis.2015.02.010 fatcat:wxrnyox36jdxppyofkgbqkhydm

UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats [article]

Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, Margo Seltzer
2020 arXiv   pre-print
Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits.  ...  Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects real-life APT scenarios with high accuracy.  ...  The goal of their work is mainly to identify important process features that are likely to be relevant to APT attacks (e.g., a process' lifetime and path information).  ... 
arXiv:2001.01525v1 fatcat:cljlsnrtsfamhlhtnzptydwd6i

PsycoTrace: Virtual and Transparent Monitoring of a Process Self

Fabrizio Baiardi, Dario Maggiari, Daniele Sgandurra, Francesco Tamberi
2009 2009 17th Euromicro International Conference on Parallel, Distributed and Network-based Processing  
PsycoTrace is a set of tools to protect a process P from attacks that alter P self as specified by its source code.  ...  We describe PsycoTrace overall architecture and focus on the run-time and introspection tools that enable the monitoring machine to check that a trace is legal and to transparently access the memory of  ...  They discuss the callgraph model, built by analyzing the control-flow of the program, which is then extended to the abstract stack model to take into account impossible paths.  ... 
doi:10.1109/pdp.2009.45 dblp:conf/pdp/BaiardiMST09 fatcat:yoq4hhstqvf73bfns2x7opckzi

Detecting Malicious Javascript in PDF through Document Instrumentation

Daiping Liu, Haining Wang, Angelos Stavrou
2014 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks  
When an instrumented document is opened, the context monitoring code inside will cooperate with our runtime monitor to detect potential infection attempts in the context of Javascript execution.  ...  Our approach statically extracts a set of static features and inserts context monitoring code into a document.  ...  ACKNOWLEDGMENT We would like to thank the anonymous reviewers for their insightful and valuable comments.  ... 
doi:10.1109/dsn.2014.92 dblp:conf/dsn/LiuWS14 fatcat:ueasgwvl3bhdrfkekp7drjoljq

Semantics-aware detection of targeted attacks: a survey

Robert Luh, Stefan Marschalek, Manfred Kaiser, Helge Janicke, Sebastian Schrittwieser
2016 Journal in Computer Virology and Hacking Techniques  
Out of 123 identified papers, 60 were found to be relevant in the context of this study.  ...  To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks.  ...  The financial support by the Austrian Federal Ministry of Science, Research and Economy and the National Foundation for Research, Technology and Development is gratefully acknowledged.  ... 
doi:10.1007/s11416-016-0273-3 fatcat:flhbpc4uwbandby2adxi62t64u

Transparent Process Monitoring in a Virtual Environment

Fabrizio Baiardi, Dario Maggiari, Daniele Sgandurra, Francesco Tamberi
2009 Electronical Notes in Theoretical Computer Science  
PsycoTrace is a system that integrates static and dynamic tools to protect a process from attacks that alter the process self as specified by the program source code.  ...  The static tools build a context-free grammar that describes the sequences of system calls the process may issue and a set of assertions on the process state, one for each invocation.  ...  The paper introduces the callgraph model, built by analyzing the control-flow of the program. Then, this model is extended to the abstract stack model to take into account impossible paths.  ... 
doi:10.1016/j.entcs.2009.03.016 fatcat:ysvhrpvkn5h27l63cyf4vvjlpu

Runtime Detection of Zero-Day Vulnerability Exploits in Contemporary Software Systems [chapter]

Olgierd Pieczul, Simon N. Foley
2016 Lecture Notes in Computer Science  
This model is used at runtime to detect exploitation of unknown security vulnerabilities using anomaly detection style techniques.  ...  A methodology is proposed that can be used to build a model of expected application execution paths during the software development cycle.  ...  other [15] , thus at increased precision and reduced chance for mimicry attack [19] .  ... 
doi:10.1007/978-3-319-41483-6_24 fatcat:a3cdjtrcijav7jyek5oyfbg6ye

Results-oriented security

Matt Bishop, Richard Ford, Marco Ramilli
2011 2011 6th International Conference on Malicious and Unwanted Software  
Current security practice is to examine incoming messages, commands, data, and executing processes for attacks that can then be countered.  ...  This position paper argues that this practice is counterproductive because the number and variety of attacks are far greater than we can cope with.  ...  Acknowledgements: Matt Bishop thanks the National Science Foundation for the support of grants CCF-0905503 and CNS-1049738 to the University of California at Davis.  ... 
doi:10.1109/malware.2011.6112325 dblp:conf/malware/BishopFR11 fatcat:rpjenhsdrreddfalmu3fxr5yxi

N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols [chapter]

Dina Hadžiosmanović, Lorenzo Simionato, Damiano Bolzoni, Emmanuele Zambon, Sandro Etalle
2012 Lecture Notes in Computer Science  
Other attacks specifically designed to target Industrial Control Systems (ICSwhich includes of nuclear power plants, oil and gas extraction and distribution facilities) have been disclosed recently [3]  ...  These attacks could not be detected by current -signature-based -detection solutions, while -at least in theory -they could be detected by state-of-the-art anomaly-based systems.  ...  The research leading to these results has been supported by the Ministry of Security and Justice of the Kingdom of the Netherlands through projects Hermes, Castor and Midas and by the European Commission  ... 
doi:10.1007/978-3-642-33338-5_18 fatcat:bn3e2hmkvjamxlxomufc43fsti

Non-Control-Data Attacks Are Realistic Threats

Shuo Chen, Jun Xu, Emre Can Sezer
2005 USENIX Security Symposium  
Attackers are currently focused on control-data attacks, but it is clear that when control flow protection techniques shut them down, they have incentives to study and employ non-control-data attacks.  ...  This paper emphasizes the importance of future research efforts to address this realistic threat. 1 Other terms are used to refer to attacks that do not alter control flow.  ...  Acknowledgments We owe thanks to many people for their insightful suggestions and extensively detailed comments on the technical contents and the presentation of this paper.  ... 
dblp:conf/uss/Chen0S05 fatcat:wrnupggnmjb4vls6akc4vqqkq4

On the Security of Machine Learning in Malware C8C Detection

Joseph Gardiner, Shishir Nagaraja
2016 ACM Computing Surveys  
In particular, several approaches and techniques have been proposed to identify the command and control (C&C) channel that a compromised system establishes to communicate with its controller.  ...  A major oversight of many of these detection techniques is the design's resilience to evasion attempts by the well-motivated attacker.  ...  The technique of Collins and Reiter [2007] detects anomalies induced in a graph of protocol-specific flows by botnet control traffic.  ... 
doi:10.1145/3003816 fatcat:jmuklpr2bjamfgygu6rpi4ldmm
« Previous Showing results 1 — 15 out of 284 results