Sciweavers

RAID
2007
Springer

Exploiting Execution Context for the Detection of Anomalous System Calls

14 years 6 months ago
Exploiting Execution Context for the Detection of Anomalous System Calls
Attacks against privileged applications can be detected by analyzing the stream of system calls issued during process execution. In the last few years, several approaches have been proposed to detect anomalous system calls. These approaches are mostly based on modeling acceptable system call sequences. Unfortunately, the techniques proposed so far are either vulnerable to certain evasion attacks or are too expensive to be practical. This paper presents a novel approach to the analysis of system calls that uses a composition of dynamic analysis and learning techniques to characterize anomalous system call invocations in terms of both the invocation context and the parameters passed to the system calls. Our technique provides a more precise detection model with respect to solutions proposed previously, and, in addition, it is able to detect data modification attacks, which cannot be detected using only system call sequence analysis.
Darren Mutz, William K. Robertson, Giovanni Vigna,
Added 09 Jun 2010
Updated 09 Jun 2010
Type Conference
Year 2007
Where RAID
Authors Darren Mutz, William K. Robertson, Giovanni Vigna, Richard A. Kemmerer
Comments (0)