A Formal Framework for Program Anomaly Detection

Question

1. What contributions have the authors mentioned in the paper "A formal framework for program anomaly detection" ?

2. What have the authors stated for future works in "A formal framework for program anomaly detection" ?

3. What are the main types of control-flow enforcement techniques?

4. What are the common probabilistic detection methods?

Accepted Answer

In this paper, the authors formalize the general program anomaly detection problem and point out two of its key properties.. The authors present a unified framework to present any program anomaly detection method in terms of its detection capability.. The authors prove the theoretical accuracy limit for program anomaly detection with an abstract detection machine.. The authors show how existing solutions are positioned in their framework and illustrate the gap between state-of-the-art methods and the theoretical accuracy limit.. The authors also point out some potential modeling features for future program anomaly detection evolution.

Accepted Answer

More accurate context-sensitive language models can be explored with pragmatic constraints in the future.. Their framework has the potential to serve as a roadmap and help researchers approach the ultimate program defense without attack signature specification.

Accepted Answer

Control-flow enforcement techniques range from the protection of return addresses, the protection of indirect control-flow transfers (CFI), to the protection of all code pointers (CPI).

Accepted Answer

Typical probabilistic detection methods include hidden Markov model (HMM) [61, 64], classification methods [16, 37, 41, 46], artificial neural network [27], data mining approaches [40], etc.

Accepted Answer

A canonical example of L-4 methods is to analyze individual system events in system logs and summarize the result through machine learning mechanisms [16].

Accepted Answer

Calling-context-sensitive methods8 are more precise than non-calling-contextsensitive ones because mimicked calls from incorrect call-sites are detected.

Accepted Answer

The detection capability of a program anomaly detection method Λ is its ability to detect attacks or anomalous program behaviors.

Accepted Answer

The most accurate program anomaly detection model in theory, which verifies higher-order event transitions with full knowledge of program internal activities.

Accepted Answer

Procedure transitions (nested callsites) can be stored in the stack so that L-2 methods can verify the return of each function/library/system call.

Accepted Answer

Security problems in program executions – caused by program bugs, inappropriate program logic, or insecure system designs – were first recognized by the Air Force, the Advanced Research Projects Agency (ARPA), and IBM in early 1970s.

Accepted Answer

A polluted training dataset prevents a precise learning of the scope of the norm for a detection model, which results in false negatives in detection.

Accepted Answer

The anomaly detection problem in N-variant methods is to tell whether one of the concurrently running replicas is behaving differently from its peers; Nvariant methods calculate the behavior distance among process replicas.

Accepted Answer

Their framework has the potential to serve as a roadmap and help researchers approach the ultimate program defense without attack signature specification.

Accepted Answer

A real-world program anomaly detection system Λ defines a language LΛ (a deterministic or probabilistic set of normal practical program traces) and establishes an attestation procedure GΛ to test whether a practical program trace T̈ is accepted by LΛ.

Accepted Answer

Denning proposed an intrusion detection expert system (IDES) in 1987 [15], which learns how a system should behave (normal profiles) instead of how itshould not (e.g., an attack).

Accepted Answer

argument analysis does not increase the precision level of a detection method, e.g., an n-gram approach with argument reasoning is still an L-3 approach.

A Formal Framework for Program Anomaly Detection

Chat with Paper

AI Agents for this Paper

Most frequently asked questions

1. What contributions have the authors mentioned in the paper "A formal framework for program anomaly detection" ?

2. What have the authors stated for future works in "A formal framework for program anomaly detection" ?

3. What are the main types of control-flow enforcement techniques?

4. What are the common probabilistic detection methods?

5. What is the example of a canonical example of L-4 methods?

6. Why are calling-context sensitive methods more precise than noncalling-contextsensitive?

7. What is the definition of a program anomaly detection method?

8. What is the accurate program anomaly detection model in theory?

9. What is the accurate method to verify the return of a function/library/system call?

10. What were the first recognized security problems in program executions?

11. What is the main issue with a polluted training dataset?

12. What is the purpose of the anomaly detection problem in N-variant methods?

13. What is the purpose of the framework?

14. What is the definition of a real-world program anomaly detection system?

15. What was the first idea of intrusion detection expert system?

16. What is the reason why argument analysis does not increase the precision of a detection method?

Figures

Citations

UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats.

UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats

Behavioral distance measurement using hidden markov models

Pagoda: A Hybrid Approach to Enable Efficient Real-Time Provenance Based Intrusion Detection in Big Data Environments

Unifying intrusion detection and forensic analysis via provenance awareness

References

Introduction to Automata Theory, Languages, and Computation

Anomaly detection: A survey

An Intrusion-Detection Model

Three models for the description of language

A sense of self for Unix processes

Related Papers (5)

Intrusion detection via static analysis

Detecting intrusions using system calls: alternative data models

Unearthing Stealthy Program Attacks Buried in Extremely Long Execution Paths

A fast automaton-based method for detecting anomalous program behaviors

Mimicry attacks on host-based intrusion detection systems