System-call monitoring has become the basis for many hostbased intrusion detection as well as policy enforcement techniques. Mimicry attacks attempt to evade system-call monitoring IDS by executing innocuous-looking sequences of system calls that accomplish the attacker's goals. Mimicry attacks may execute a sequence of dozens of system calls in order to evade detection. Finding such a sequence is difficult, so researchers have focused on tools for automating mimicry attacks and extending them to gray-box IDS1 . In this paper, we describe an alternative approach for building mimicry attacks using only skills and technologies that hackers possess today, making this attack a more immediate and realistic threat. These attacks, which we call persistent interposition attacks, are not as powerful as traditional mimicry attacks -- an adversary cannot obtain a root shell using a persistent interposition attack-- but are sufficient to accomplish the goals of today's cyber-criminals. ...
Chetan Parampalli, R. Sekar, Rob Johnson