Automatically Adapting a Trained Anomaly Detector to Software Patches
Publication Type
Conference Proceeding Article
Publication Date
9-2009
Abstract
In order to detect a compromise of a running process based on it deviating from its program’s normal system-call behavior, an anomaly detector must first be trained with traces of system calls made by the program when provided clean inputs. When a patch for the monitored program is released, however, the system call behavior of the new version might differ from that of the version it replaces, rendering the anomaly detector too inaccurate for monitoring the new version. In this paper we explore an alternative to collecting traces of the new program version in a clean environment (which may take effort to set up), namely adapting the anomaly detector to accommodate the differences between the old and new program versions. We demonstrate that this adaptation is feasible for such an anomaly detector, given the output of a state-of-the-art binary difference analyzer. Our analysis includes both proofs of properties of the adapted detector, and empirical evaluation of adapted detectors based on four software case studies.
Discipline
Information Security
Research Areas
Information Security and Trust
Publication
Recent Advances in Intrusion Detection: 12th International Symposium, RAID 2009, Saint-Malo, France, September 23-25: Proceedings
Volume
5758
First Page
142
Last Page
160
ISBN
9783642043420
Identifier
10.1007/978-3-642-04342-0_8
Publisher
Springer Verlag
City or Country
Saint-Malo, France
Citation
LI, Peng; GAO, Debin; and Reiter, Michael K..
Automatically Adapting a Trained Anomaly Detector to Software Patches. (2009). Recent Advances in Intrusion Detection: 12th International Symposium, RAID 2009, Saint-Malo, France, September 23-25: Proceedings. 5758, 142-160.
Available at: https://ink.library.smu.edu.sg/sis_research/475
Additional URL
http://dx.doi.org/10.1007/978-3-642-04342-0_8
Comments
5758/2009