An Anthropological Approach to Studying CSIRTs

Sundaramurthy, Sathya Chandran; McHugh, John; Ou, Xinming; Rajagopalan, S. Raj; Wesch, Michael

doi:10.1109/msp.2014.84

Cited by 28 publications

(36 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…LAD supports offline detection or forensics of program attacks, in which case accuracy is the main concern instead of performance [56]. Our Pintool enables analysts to locate anomalies within long program traces, and our matrices provide caller information for individual function calls.…”

Section: Performance Analysismentioning

confidence: 99%

Long-Span Program Behavior Modeling and Attack Detection

Shu¹,

Yao

Ramakrishnan

et al. 2017

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

Intertwined developments between program attacks and defenses witness the evolution of program anomaly detection methods. Emerging categories of program attacks, e.g., non-control data attacks and data-oriented programming, are able to comply with normal trace patterns at local views. This article points out the deficiency of existing program anomaly detection models against new attacks and presents long-span behavior anomaly detection (LAD), a model based on mildly context-sensitive grammar verification. The key feature of LAD is its reasoning of correlations among arbitrary events that occurred in long program traces. It extends existing correlation analysis between events at a stack snapshot, e.g., paired call and ret, to correlation analysis among events that historically occurred during the execution. The proposed method leverages specialized machine learning techniques to probe normal program behavior boundaries in vast high-dimensional detection space. Its two-stage modeling/detection design analyzes event correlation at both binary and quantitative levels. Our prototype successfully detects all reproduced real-world attacks against sshd, libpcre, and sendmail. The detection procedure incurs 0.1 ms to 1.3 ms overhead to profile and analyze a single behavior instance that consists of tens of thousands of function call or system call events. North Glebe Road, Arlington, VA 22203; email: naren@cs.vt.edu; T. Jaeger, 346A IST Building, University Park, PA 16802; email: tjaeger@cse.psu.edu. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. 12:2 X. Shu et al. INTRODUCTIONAttacks to programs are one of the oldest and fundamental threats to computing systems, which evolve and constitute latest attack vectors and advanced persistent threats. Anomaly-based intrusion detection discovers aberrant executions caused by attacks, misconfigurations, program bugs, and unusual usage patterns. The approach models normal program behaviors instead of the threats. It does not bear time lags between emerging attacks and deployed countermeasures as standard defenses do, which are built upon retrospects of inspected attacks. The merit of program anomaly detection is its independence from attack signatures. This property potentially enables proactive defenses against new and unknown threats.The detection accuracy of program anomaly detection methods relies on the precision of normal program behavior description and the completeness of the training [54]. Primitive program attacks, e.g., return addresses mani...

show abstract

Section: Performance Analysismentioning

confidence: 99%

Long-Span Program Behavior Modeling and Attack Detection

Shu¹,

Yao

Ramakrishnan

et al. 2017

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

show abstract

“…Another challenge is that incident response tasks are complex, and no manual or textbook offers clear guidance explaining how the job should be performed [18]. The job of incident responder is further conflated by claims that responders may specialize in related areas such as forensics, data mining, reverse engineering, configuration of countermeasures, or penetration testing [5].…”

Section: Literature Reviewmentioning

confidence: 99%

Capabilities and Skill Configurations of Information Security Incident Responders

McLaughlin

D’Arcy

Cram

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

show abstract

“…Our approach can support offline detection or forensics of program attacks, in which case accuracy is the main concern instead of performance [42]. Our Pintool enables analysts to locate anomalies within execution windows, and our matrices provide caller information for individual function calls.…”

Section: Performance Analysismentioning

confidence: 99%

“…To deal with the borderline behavior issue, we alter the standard process into a two-step process: i) generate scopes of clusters in an agglomerative way (line 13-28), and ii) add behavior instances to generated clusters (line [30][31][32][33][34][35][36][37][38][39][40][41][42][43][44].…”

mentioning

confidence: 99%

See 1 more Smart Citation

Unearthing Stealthy Program Attacks Buried in Extremely Long Execution Paths

Shu

Yao

Ramakrishnan

2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Modern stealthy exploits can achieve attack goals without introducing illegal control flows, e.g., tampering with noncontrol data and waiting for the modified data to propagate and alter the control flow legally. Existing program anomaly detection systems focusing on legal control flow attestation and short call sequence verification are inadequate to detect such stealthy attacks. In this paper, we point out the need to analyze program execution paths and discover event correlations in large-scale execution windows among millions of instructions. We propose an anomaly detection approach with two-stage machine learning algorithms to recognize diverse normal call-correlation patterns and detect program attacks at both inter-and intra-cluster levels. We implement a prototype of our approach and demonstrate its effectiveness against three real-world attacks and four synthetic anomalies with less than 0.01% false positive rates and 0.1~1.3 ms analysis overhead per behavior instance (1k to 50k function or system calls).

show abstract

An Anthropological Approach to Studying CSIRTs

Cited by 28 publications

References 5 publications

Long-Span Program Behavior Modeling and Attack Detection

Long-Span Program Behavior Modeling and Attack Detection

Capabilities and Skill Configurations of Information Security Incident Responders

Unearthing Stealthy Program Attacks Buried in Extremely Long Execution Paths

Contact Info

Product

Resources

About