The Evolution of System-Call Monitoring

Forrest, Stephanie; Hofmeyr, Steven; Somayaji, Anil

doi:10.1109/acsac.2008.54

Cited by 101 publications

(71 citation statements)

References 64 publications

(89 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The Opcode function calls are captured as a sequence of integers and extracted with no additional processing, thereby reducing the log trace overhead. Evaluating only function keyword sequences has also be successfully deployed at the kernel level for anomaly detection in operating systems [12,13,34,53].…”

Section: Data Extractionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient and effective realtime prediction of drive-by download attacks

Jayasinghe

Culpepper

Bertók

2014

Journal of Network and Computer Applications

View full text Add to dashboard Cite

Section: Data Extractionmentioning

confidence: 99%

“…Figure 1 is a sample snippet of JavaScript code used to perform a drive-by download attack. The code contains a shellcode (line 2), a routine for constructing a NOP sled (lines 3-10), and a heap spraying attack (lines [12][13][14][15][16][17][18]. The shellcode is a binary payload injected and executed on a user device.…”

Section: Introductionmentioning

confidence: 99%

Efficient and effective realtime prediction of drive-by download attacks

Jayasinghe

Culpepper

Bertók

2014

Journal of Network and Computer Applications

View full text Add to dashboard Cite

“…Dynamic malware analysis methods monitor the interactions between a malware sample and an operating system kernel [19,20], e.g. invoked system calls and its arguments.…”

Section: Interrelation Between Observed Objectsmentioning

confidence: 99%

Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes

Shosha

James

Hannaway

et al. 2013

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Digital forensic investigators commonly use dynamic malwareanalysis methods to analyze a suspect executable found during a post-mortem analysis of the victim's computer. Unfortunately, currently proposed dynamic malware analysis methods and sandbox solutions have a number of limitations that may lead the investigators to ambiguous conclusions. In this research, the limitations of the use of current dynamic malware analysis methods in digital forensic investigations are highlighted. In addition, a method to profile dynamic kernel memory to complement currently proposed dynamic profiling techniques is proposed. The proposed method will allow investigators to automate the identification of malicious kernel objects during a post-mortem analysis of the victim's acquired memory. The method is implemented in a prototype malware analysis environment to automate the process of profiling malicious kernel objects and assist malware forensic investigation. Finally, a case study is given to demonstrate the efficacy of the proposed approach.

show abstract

“…Even without a contemplation of the accuracy of the CFG, a couple of issues arise from this conceptual control flow validation scenario such as CFG granularity and the representation and storage of the CFG. System-call-level CFG was utilized during the early days of the technology to reduce the overhead of the CFG representation and storage, and also to enable access to the CFG at runtime [13]; however, such a coarse-grain CFG often fails to catch a compromised control flow because many hundreds or thousands of instructions can exist between the system calls.…”

Section: Introductionmentioning

confidence: 99%

Program Counter Encoding for ARM<sup>&reg;</sup> Architecture

Park¹,

Lee²,

Lee³

2017

JIS

View full text Add to dashboard Cite

ARM® is the prevalent processor architecture for embedded and mobile applications. For the smartphones, it is the processor for which software applications are running, whether the platform is with Apple's iOS or Google's Android. Software operations under these platforms are prone to semantic gap, which refers to potential difference between intended operations described in software and actual operations done by processor. Attacks that compromise program control flows, which result in these mantic gaps, are a major attack type in modern software attacks. Many recent software protection schemes for servers and desktops focus on protecting program control flows, but there are little protection tools available for protecting program control flows of mobile applications for ARM processor architecture. This paper uses a program counter (PC) encoding technique (PC-Encoding) to harden program control flows under ARM processor architecture. The PC-Encoding directly encodes control flow target addresses that will load into the PC. It is simple and intuitive to implement and incur little overhead. Encoding the control flow target addresses can minimize the semantic gap by preventing potential compromises of the control flows. This paper describes our efforts of implementing PC-Encoding to harden portable binaries in ELF (Executable and Linkable Format).

show abstract

The Evolution of System-Call Monitoring

Cited by 101 publications

References 64 publications

Efficient and effective realtime prediction of drive-by download attacks

Efficient and effective realtime prediction of drive-by download attacks

Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes

Program Counter Encoding for ARM<sup>&reg;</sup> Architecture

Contact Info

Product

Resources

About

The Evolution of System-Call Monitoring

Cited by 101 publications

References 64 publications

Efficient and effective realtime prediction of drive-by download attacks

Efficient and effective realtime prediction of drive-by download attacks

Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes

Program Counter Encoding for ARM&lt;sup&gt;&amp;reg;&lt;/sup&gt; Architecture

Contact Info

Product

Resources

About

Program Counter Encoding for ARM<sup>®</sup> Architecture