Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits

Tan, Kymie; Killourhy, Kevin S.; Maxion, Roy A.

doi:10.1007/3-540-36084-0_4

Cited by 133 publications

(94 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Variety of anomaly detection methods utilizing this approach has been proposed [5][6][7][8][9][10][11]. Forrest [5], for example, introduced a simple anomaly detection method based on monitoring the system calls issued by privileged processes.…”

Section: Anomaly Detection Systemsmentioning

confidence: 99%

NewApproach for Detecting Unknown Malicious Executables

Розенберг¹,

Gudes²,

Elovici³

et al. 2010

J Forensic Res

View full text Add to dashboard Cite

Section: Anomaly Detection Systemsmentioning

confidence: 99%

NewApproach for Detecting Unknown Malicious Executables

Розенберг¹,

Gudes²,

Elovici³

et al. 2010

J Forensic Res

View full text Add to dashboard Cite

“…The seminal research on mimicry [9,24] and evasion attacks [20][21][22] demonstrated a critical shortcoming of model-based anomaly detection. Attackers can avoid detection by altering their attacks to appear as a program's normal execution.…”

Section: Related Workmentioning

confidence: 99%

“…Mimicry and evasion attacks avoid detection by transforming an attack sequence of system calls so that it is accepted by a program model yet still carries out the same malicious action. Previous research found examples of mimicry attacks against high-privilege processes restricted by a model-based detector [20][21][22]24]. However, the attacks were constructed manually by iterating between an attack sequence and a program model until the attack could be made to appear normal.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Automated Discovery of Mimicry Attacks

Giffin¹,

Jha²,

Miller³

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Model-based anomaly detection systems restrict program execution by a predefined model of allowed system call sequences. These systems are useful only if they detect actual attacks. Previous research developed manuallyconstructed mimicry and evasion attacks that avoided detection by hiding a malicious series of system calls within a valid sequence allowed by the model. Our work helps to automate the discovery of such attacks. We start with two models: a program model of the application's system call behavior and a model of security-critical operating system state. Given unsafe OS state configurations that describe the goals of an attack, we then find system call sequences allowed as valid execution by the program model that produce the unsafe configurations. Our experiments show that we can automatically find attack sequences in models of programs such as wu-ftpd and passwd that previously have only been discovered manually. When undetected attacks are present, we frequently find the sequences with less than 2 seconds of computation.

show abstract

“…Several researchers have pointed out the need to include the resistance against attacks as part of the evaluation of an IDS [25,27,11,34,29,30,13]. However, the traditional evaluation metrics are based on ideas mainly developed for nonsecurity related fields and therefore, they do not take into account the role of an adversary and the evaluation of the system against this adversary.…”

Section: Introductionmentioning

confidence: 99%