On Gray-Box Program Tracking for Anomaly Detection

Publication Type

Conference Proceeding Article

Publication Date



Many host-based anomaly detection systems monitor a process ostensibly running a known program by observing the system calls the process makes. Numerous improvements to the precision of this approach have been proposed, such as tracking system call sequences, and various "gray-box" extensions such as examining the program counter or return addresses on the stack when system calls are made. In this paper, we perform the first systematic study of a wide spectrum of such methods. We show that prior approaches can be organized along three axes, revealing new possibilities for system-call-based program tracking. Through an empirical analysis of this design space, we shed light on the benefits and costs of various points in the space and identify new regions that appear to outperform prior approaches. In separate contributions, we demonstrate novel mimicry attacks on a recent proposal using return addresses for system-call-based program tracking, and then suggest randomization techniques to make such attacks more difficult.


Information Security

Research Areas

Information Security and Trust


Proceedings of the 13th USENIX Security Symposium, August 9-13, 2004, San Diego, CA

First Page


Last Page



USENIX Association

City or Country

San Diego, CA, USA

Additional URL