On Gray-Box Program Tracking for Anomaly Detection
Conference Proceeding Article
Many host-based anomaly detection systems monitor a process ostensibly running a known program by observing the system calls the process makes. Numerous improvements to the precision of this approach have been proposed, such as tracking system call sequences, and various "gray-box" extensions such as examining the program counter or return addresses on the stack when system calls are made. In this paper, we perform the first systematic study of a wide spectrum of such methods. We show that prior approaches can be organized along three axes, revealing new possibilities for system-call-based program tracking. Through an empirical analysis of this design space, we shed light on the benefits and costs of various points in the space and identify new regions that appear to outperform prior approaches. In separate contributions, we demonstrate novel mimicry attacks on a recent proposal using return addresses for system-call-based program tracking, and then suggest randomization techniques to make such attacks more difficult.
Information Security and Trust
Proceedings of the 13th USENIX Security Symposium, August 9-13, 2004, San Diego, CA
City or Country
San Diego, CA, USA
GAO, Debin; Reiter, Michael K.; and SONG, Dawn.
On Gray-Box Program Tracking for Anomaly Detection. (2004). Proceedings of the 13th USENIX Security Symposium, August 9-13, 2004, San Diego, CA. 103-118. Research Collection School Of Information Systems.
Available at: http://ink.library.smu.edu.sg/sis_research/1241