Bypassing system calls–based intrusion detection systems

Rosenberg, Ishai; Gudes, Ehud

doi:10.1002/cpe.4023

Cited by 12 publications

(8 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Though API calls to the operating system kernel are the most popular behavioural features used in dynamic malware detection, there are several reasons why we have chosen machine activity features as inputs to the model instead. Firstly, recent work has shown that API calls are vulnerable to manipulation, causing neural networks to misclassify samples ( [22], [23]). As Burnap et al [24] argue"malware cannot avoid leaving a behavioural footprint" of machine activity, future work will necessarily examine the robustness of machine activity to adversarial crafting, but this is outside the scope of this paper.…”

Section: Methodsmentioning

confidence: 99%

Early-stage malware prediction using recurrent neural networks

Rhode

Burnap

Jones

2018

Computers & Security

230

142

View full text Add to dashboard Cite

Static malware analysis is well-suited to endpoint anti-virus systems as it can be conducted quickly by examining the features of an executable piece of code and matching it to previously observed malicious code. However, static code analysis can be vulnerable to code obfuscation techniques. Behavioural data collected during file execution is more difficult to obfuscate, but takes a relatively long time to capture -typically up to 5 minutes, meaning the malicious payload has likely already been delivered by the time it is detected.In this paper we investigate the possibility of predicting whether or not an executable is malicious based on a short snapshot of behavioural data. We find that an ensemble of recurrent neural networks are able to predict whether an executable is malicious or benign within the first 5 seconds of execution with 94% accuracy. This is the first time general types of malicious file have been predicted to be malicious during execution rather than using a complete activity log file post-execution, and enables cyber security endpoint protection to be advanced to use behavioural data for blocking malicious payloads rather than detecting them post-execution and having to repair the damage.

show abstract

Section: Methodsmentioning

confidence: 99%

Early-stage malware prediction using recurrent neural networks

Rhode

Burnap

Jones

2018

Computers & Security

230

142

View full text Add to dashboard Cite

show abstract

“…There is another study also focusing the security issues for Intrusion Detection System (IDS) based on various classifiers using system calls, executed by the inspected code as feature, and thus a camouflage algorithm that is used to modify malicious code to be classified as benign, while preserving the code's functionality, for decision tree and random forest classifiers. The research shows that it is not enough to provide a decision tree–based classifier with a large training set to counter malware.…”

Section: Themes Of This Special Issuementioning

confidence: 99%

Foreword to the special issue on networked system security and efficiency

Wang

Ren

2017

Concurrency and Computation

View full text Add to dashboard Cite

(device-to-device, D2D) communications, which explicitly need to utilize the private storage for caching and forwarding and thus has serious security problem and proposes a Markov-chain analytical framework for sharing public-safety videos of city surveillance. The paper develops a new Traffic Burden Switching Markovian (TBSM) model to evaluate the performance of transmitting real-time FGA video in wireless networks with D2D communications, and finally, the performance results show the significant varying performance among D2D areas with different geographical locations in D2D enabled wireless networks, which is referred to as multi-D2D-area diversity.

show abstract

“…Therefore, intrusion detection technology has attracted much attention of researchers. [4][5][6][7] The ultimate purpose of intrusion detection is to classify network behavior into normal or abnormal according to certain rules. The goal of intrusion detection is to detect as many attacks as possible with the lowest false alarm rate, that is, the detection system must accurately detect abnormal or attack behavior.…”

Section: Introductionmentioning

confidence: 99%

“…[8][9][10] Therefore, it is necessary to establish a detection model that can accurately identify most of attacks, and handle large-scale data fast enough. Although the recent literatures [11][12][13] have solved these problems, they are not suitable for the detection of persistent attacks. Instead of detecting data flows individually, we subcontract data flows according to a certain rule (eg, all samples in each bag have the same source port), which can improve recall and precision of detection for persistent attacks.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An intrusion detection algorithm based on bag representation with ensemble support vector machine in cloud computing

Wei

Long

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

The increase of security incidents brings a challenge to the cloud computing security. Intrusion detection technologies have been applied to protect information in cloud from being compromised, and complicated learning-based detection methods have been used to improve the performance of intrusion detection systems. Higher quality and well-formed samples are crucial to the performance of detection algorithm. Therefore, we mainly study the intrusion detection model based on data optimization processing. In this article, we establish an intrusion detection algorithm based on ensemble support vector machine with bag representation. Specifically, the sample flows are divided into bags, where the sample flows in each bag are related to each other. Each bag contains multiple related data flows that can accurately reflect intrusion behavior, especially persistent intrusion. What's more, ensemble algorithm is applied to detection model, which greatly optimizes the performance of detection algorithm. The experimental results on open access datasets show that the proposed model detects the persistent attack with 90.58% recall.

show abstract

Bypassing system calls–based intrusion detection systems

Cited by 12 publications

References 30 publications

Early-stage malware prediction using recurrent neural networks

Early-stage malware prediction using recurrent neural networks

Foreword to the special issue on networked system security and efficiency

An intrusion detection algorithm based on bag representation with ensemble support vector machine in cloud computing

Contact Info

Product

Resources

About