Improving Host-Based IDS with Argument Abstraction to Prevent Mimicry Attacks

Sufatrio,; Yap, Roland H. C.

doi:10.1007/11663812_8

Cited by 16 publications

(9 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Sufatrio presented an algorithm for automated mimicry attack on Finite‐State Automaton (or overlapping graph) classifier using system call n‐grams. However, this algorithm limits the malware code that can be camouflaged using it, to one that can be assembled from benign trace n‐grams.…”

Section: Background and Related Workmentioning

confidence: 99%

Bypassing system calls–based intrusion detection systems

Rosenberg

Gudes

2016

Concurrency and Computation

View full text Add to dashboard Cite

Machine learning augments today's intrusion detection system (IDS) capability to cope with unknown malware. However, if an attacker gains partial knowledge about the IDS' classifier, he can create a modified version of his malware, which can evade detection. In this article we present an IDS on the basis of various classifiers using system calls, executed by the inspected code as features. We then present a camouflage algorithm that is used to modify malicious code to be classified as benign, while preserving the code's functionality, for decision tree and random forest classifiers. We also present transformations to the classifier's input, to prevent this camouflageand a modified camouflage algorithm that overcomes those transformations. Our research shows that it is not enough to provide a decision tree based classifier with a large training set to counter malware. One must also be aware of the possibility that the classifier would be fooled by a camouflage algorithm, and try to counter such an attempt with techniques such as input transformation or training set updates.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Bypassing system calls–based intrusion detection systems

Rosenberg

Gudes

2016

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…Various IDSes can also be classified into network-based [38,28,13,37,25,32,10,13] and host-based ones [15,36,8,26,31,12]. The difference between these two categories lies in where the intelligence used for detection resides.…”

Section: Limitations Of Existing Approachesmentioning

confidence: 99%

Enhancing Intrusion Detection System with proximity information

Zhuang¹,

Li²,

Chen³

2010

IJSN

View full text Add to dashboard Cite

Abstract:The wide spread of worms poses serious challenges to today's Internet. Various IDSes (Intrusion Detection Systems) have been proposed to identify or prevent such spread. These IDSes can be largely classified as signature-based or anomaly-based ones depending on what type of knowledge the system knows. Signature-based IDSes are unable to detect the outbreak of new and unidentified worms when the worms' characteristic patterns are unknown. In addition, new worms are often sufficiently intelligent to hide their activities and evade anomaly detection. Moreover, modern worms tend to spread more quickly, and the outbreak period lasts in the order of hours or even minutes. Such characteristics render existing detection mechanisms less effective.In this work, we consider the drawbacks of current detection approaches and propose PAIDS, a proximity-assisted IDS approach for identifying the outbreak of unknown worms. PAIDS does not rely on signatures. Instead, it takes advantage of the proximity information of compromised hosts. PAIDS operates on an orthogonal dimension with existing IDS approaches and can thus work collaboratively with existing IDSes to achieve better performance. We test the effectiveness of PAIDS with trace-driven simulations and observe that PAIDS has a high detection rate and a low false positive rate. We also build a proof-of-concept prototype using Google Maps APIs and libpcap library.

show abstract

“…They reported improved attack detection, but at the cost of increased complexity: Their system ran 4-10 times more slowly when arguments were included. Sufatrio and Yap incorporated data flow in the form of a supplied specification for system call arguments [69], and Bhatkar et al reported that modeling the temporal aspects of data flow in conjunction with control flow further improved detection [6].…”

Section: Data Flowmentioning

confidence: 99%

The Evolution of System-Call Monitoring

Forrest

Hofmeyr

Somayaji

2008

2008 Annual Computer Security Applications Conference (ACSAC)

101

View full text Add to dashboard Cite

Computer security systems protect computers and networks from unauthorized use by external agents and insiders. The similarities between computer security and the problem of protecting a body against damage from externally and internally generated threats are compelling and were recognized as early as 1972 when the term computer virus was coined. The connection to immunology was made explicit in the mid 1990s, leading to a variety of prototypes, commercial products, attacks, and analyses. The paper reviews one thread of this active research area, focusing on system-call monitoring and its application to anomaly intrusion detection and response.The paper discusses the biological principles illustrated by the method, followed by a brief review of how system call monitoring was used in anomaly intrusion detection and the results that were obtained. Proposed attacks against the method are discussed, along with several important branches of research that have arisen since the original papers were published. These include other data modeling methods, extensions to the original system call method, and rate limiting responses. Finally, the significance of this body of work and areas of possible future investigation are outlined in the conclusion.

show abstract

Improving Host-Based IDS with Argument Abstraction to Prevent Mimicry Attacks

Cited by 16 publications

References 11 publications

Bypassing system calls–based intrusion detection systems

Bypassing system calls–based intrusion detection systems

Enhancing Intrusion Detection System with proximity information

The Evolution of System-Call Monitoring

Contact Info

Product

Resources

About