Fixed- vs. variable-length patterns for detecting suspicious process behavior

Wespi, Andreas; Debar, Hervé; Daciér, Marc; Nassehi, Mehdi

doi:10.3233/jcs-2000-82-305

Cited by 17 publications

(10 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The according proof of concept is implemented as three C++ files. Listing 1 depicts the target program which is the subject of our attack 4 . In line 6, we create a function pointer pointing to a function named isValidUser(), implemented in a dynamic link library.…”

Section: Example Of Dynamically Altering Control-flowmentioning

confidence: 99%

“…The original control-flow is depicted as solid-lined arrows in Figure 3. 3 While our proof of concept presented here regards to the Linux operating system, we also have an equivalent version running on Windows. 4 In the field of offline computer games, software that implements such features in order to alter game specific values (e.g. health, energy, ammunition, etc.)…”

Section: Example Of Dynamically Altering Control-flowmentioning

confidence: 99%

See 1 more Smart Citation

Using Control-Flow Techniques in a Security Context: A Survey on Common Prototypes and Their Common Weakness

Seeger

2011

2011 International Conference on Network Computing and Information Security

View full text Add to dashboard Cite

Abstract-Practical approaches using control-flow techniques in order to detect changes in the control-flow of a program have been subject of many scientific works. This work focuses on three common tools making use of control-and data-flow analysis in order to detect alternations and reveals their common weakness in terms of the ability to react directly to a dynamic change in control-flow. With a general focus on static analysis of binaries or source code, detection of dynamic changes in the executive flow cannot be detected. In order to emphasize this shortcoming of static analysis, we present an approach for dynamically changing a program's control-flow and validate it by depicting a proof of concept.

show abstract

Section: Example Of Dynamically Altering Control-flowmentioning

confidence: 99%

Section: Example Of Dynamically Altering Control-flowmentioning

confidence: 99%

Using Control-Flow Techniques in a Security Context: A Survey on Common Prototypes and Their Common Weakness

Seeger

2011

2011 International Conference on Network Computing and Information Security

View full text Add to dashboard Cite

show abstract

“…Section 2 describes the basic principles of detecting suspicious process behavior by analyzing the sequences of system calls a process can generate. Readers familiar with the previous work on this topic [2,3,8,10,11,13,14,15] can skip this section and go directly to Section 3 where our novel intrusion-detection method, which uses variable-length patterns, is presented. Section 4 compares our novel method with the one proposed by Forrest et al [8,10] based on experiments performed in a testbed [5] environment.…”

Section: Introductionmentioning

confidence: 99%

Intrusion Detection Using Variable-Length Audit Trail Patterns

Wespi

Daciér

Debar

2000

Lecture Notes in Computer Science

Self Cite

128

100

View full text Add to dashboard Cite

Abstract. Audit trail patterns generated on behalf of a Unix process can be used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.

show abstract

“…In [6] stide is applied for detecting anomalies in programs audited using Sun's Basic Security Module (BSM). In [14] and [19] the idea of combining sequences of different lengths is exploited. Finally, in [3] the benefits of using an adaptive sequence length are demonstrated.…”

Section: Detectionmentioning

confidence: 99%