Title

On Gray-Box Program Tracking for Anomaly Detection

Publication Type

Conference Proceeding Article

Publication Date

8-2004

Abstract

Many host-based anomaly detection systems monitor a process ostensibly running a known program by observing the system calls the process makes. Numerous improvements to the precision of this approach have been proposed, such as tracking system call sequences, and various "gray-box" extensions such as examining the program counter or return addresses on the stack when system calls are made. In this paper, we perform the first systematic study of a wide spectrum of such methods. We show that prior approaches can be organized along three axes, revealing new possibilities for system-call-based program tracking. Through an empirical analysis of this design space, we shed light on the benefits and costs of various points in the space and identify new regions that appear to outperform prior approaches. In separate contributions, we demonstrate novel mimicry attacks on a recent proposal using return addresses for system-call-based program tracking, and then suggest randomization techniques to make such attacks more difficult.

Discipline

Information Security

Research Areas

Information Security and Trust

Publication

Proceedings of the 13th USENIX Security Symposium, August 9-13, 2004, San Diego, CA

First Page

103

Last Page

118

Publisher

USENIX Association

City or Country

San Diego, CA, USA

Additional URL

http://dl.acm.org/citation.cfm?id=1251383