Long-Span Program Behavior Modeling and Attack Detection

Shu, Xiaokui; Yao, Danfeng; Ramakrishnan, Naren; Jaeger, Trent

doi:10.1145/3105761

Cited by 22 publications

(7 citation statements)

References 54 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As a result, they have exhibited little success in detecting APTs. Systems that attempt to capture long-term program behavior [112] limit their analysis to event co-occurrence to avoid high computational and memory overheads.…”

Section: Introductionmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

137

111

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: Introductionmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

137

111

View full text Add to dashboard Cite

show abstract

“…There is an increasing interest in applying machine learning techniques to software development [73]. Existing approaches address a variety of development tasks, including fuzz testing [74,75], detecting code clone [76,4,19,77], improving static analysis for bug funding [78,79], repairing programs [80], defect prediction [81,82], attack detection [83] and processing bug reports [18,23,24]. FUNDED builds on those past foundations but is quality different from these studies.…”

Section: Related Workmentioning

confidence: 99%

Combining Graph-Based Learning With Automated Data Collection for Code Vulnerability Detection

Wang

Tang

et al. 2021

IEEE Trans.Inform.Forensic Secur.

168

View full text Add to dashboard Cite

“…Program behavior modeling has been an active research topic over the past decade and various models have been proposed for legacy applications [16]. Existing models can be classified into two categories: i) local model (e.g., n-gram model [32], hidden markov model (HMM) based approach [33], finite-state automaton (FSA) model [44]); and ii) long-range model (e.g., frequency distribution based models [31], [39], [45]). Local anomaly detection inspects short-range segments of program execution traces to detect anomalies such as control-flow violations.…”

Section: Program Behavior Model Choicesmentioning

confidence: 99%

Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems

Cheng

Tian

Yao

et al. 2021

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Securing cyber-physical systems (CPS) against malicious attacks is of paramount importance because these attacks may cause irreparable damages to physical systems. Recent studies have revealed that control programs running on CPS devices suffer from both control-oriented attacks (e.g., code-injection or code-reuse attacks) and data-oriented attacks (e.g., non-control data attacks). Unfortunately, existing detection mechanisms are insufficient to detect runtime data-oriented exploits, due to the lack of runtime execution semantics checking. In this work, we propose Orpheus, a new security methodology for defending against data-oriented attacks by enforcing cyber-physical execution semantics. We first present a general method for reasoning cyber-physical execution semantics of a control program (i.e., causal dependencies between the physical context/event and program control flows), including the event identification and dependence analysis. As an instantiation of Orpheus, we then present a new program behavior model, i.e., the event-aware finite-state automaton (eFSA). eFSA takes advantage of the event-driven nature of CPS control programs and incorporates event checking in anomaly detection. It detects data-oriented exploits if a specific physical event is missing along with the corresponding event dependent state transition. We evaluate our prototype's performance by conducting case studies under data-oriented attacks. Results show that eFSA can successfully detect different runtime attacks. Our prototype on Raspberry Pi incurs a low overhead, taking 0.0001s for each state transition integrity checking, and 0.063s∼0.211s for the cyber-physical contextual consistency checking.

show abstract

Long-Span Program Behavior Modeling and Attack Detection

Cited by 22 publications

References 54 publications

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Combining Graph-Based Learning With Automated Data Collection for Code Vulnerability Detection

Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems

Contact Info

Product

Resources

About