Gray-Box Extraction of Execution Graphs for Anomaly Detection

Author

Debin GAO, Singapore Management UniversityFollow
Michael K. Reiter
Dawn SONG

Publication Type

Conference Proceeding Article

Publication Date

10-2004

Abstract

Many host-based anomaly detection systems monitor a process by observing the system calls it makes, and comparing these calls to a model of behavior for the program that the process should be executing. In this paper we introduce a new model of system call behavior, called an execution graph. The execution graph is the first such model that both requires no static analysis of the program source or binary, and conforms to the control flow graph of the program. When used as the model in an anomaly detection system monitoring system calls, it offers two strong properties: (i) it accepts only system call sequences that are consistent with the control flow graph of the program; (ii) it is maximal given a set of training data, meaning that any extensions to the execution graph could permit some intrusions to go undetected. In this paper, we formalize and prove these claims. We additionally evaluate the performance of our anomaly detection technique.

Discipline

Information Security

Research Areas

Information Security and Trust

Publication

CCS 2004: Proceedings of the 11th ACM Conference on Computer and Communications Security, October 25-29, 2004, Washington, DC

First Page

318

Last Page

329

ISBN

9781581139617

Identifier

10.1145/1030083.1030126

Publisher

ACM

City or Country

Washington, DC, USA

Citation

GAO, Debin; Reiter, Michael K.; and SONG, Dawn. Gray-Box Extraction of Execution Graphs for Anomaly Detection. (2004). CCS 2004: Proceedings of the 11th ACM Conference on Computer and Communications Security, October 25-29, 2004, Washington, DC. 318-329.
Available at: https://ink.library.smu.edu.sg/sis_research/1242

Additional URL

http://dx.doi.org/10.1145/1030083.1030126