Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

9-2011

Abstract

Due to the erratic nature, the value of a function argument in one normal program execution could become illegal in another normal execution context. Attacks utilizing such erratic arguments are able to evade detections as fine-grained context information is unavailable in many existing detection schemes. In order to obtain such fine-grained context information, a precise model on the internal program states has to be built, which is impractical especially monitoring a closed source program alone. In this paper, we propose an intrusion detection scheme which builds on two diverse programs providing semantically-close functionality. Our model learns underlying semantic correlation of the argument values in these programs, and consequently gains more accurate context information compared to existing schemes. Through experiments, we show that such context information is effective in detecting attacks which manipulate erratic arguments with comparable false positive rates.

Keywords

Intrusion detection, system call argument, diversity

Discipline

Information Security

Research Areas

Cybersecurity

Publication

Security and Privacy in Communication Networks: 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers

Volume

96

First Page

172

Last Page

189

ISBN

9783642319099

Identifier

10.1007/978-3-642-31909-9_10

Publisher

Springer Verlag

City or Country

Heidelberg

Copyright Owner and License

Authors

Additional URL

http://dx.doi.org/10.1007/978-3-642-31909-9_10

Download

Share

COinS