Long-Span Program Behavior Modeling and Attack Detection
Xiaokui Shu,Danfeng Yao,Naren Ramakrishnan,Trent Jaeger +3 more
- 20 Sep 2017
- Vol. 20, Iss: 4, pp 12
TL;DR: This article points out the deficiency of existing program anomaly detection models against new attacks and presents long-span behavior anomaly detection (LAD), a model based on mildly context-sensitive grammar verification that detects all reproduced real-world attacks against sshd, libpcre, and sendmail.
read more
Abstract: Intertwined developments between program attacks and defenses witness the evolution of program anomaly detection methods. Emerging categories of program attacks, e.g., non-control data attacks and data-oriented programming, are able to comply with normal trace patterns at local views. This article points out the deficiency of existing program anomaly detection models against new attacks and presents long-span behavior anomaly detection (LAD), a model based on mildly context-sensitive grammar verification. The key feature of LAD is its reasoning of correlations among arbitrary events that occurred in long program traces. It extends existing correlation analysis between events at a stack snapshot, e.g., paired call and ret, to correlation analysis among events that historically occurred during the execution. The proposed method leverages specialized machine learning techniques to probe normal program behavior boundaries in vast high-dimensional detection space. Its two-stage modeling/detection design analyzes event correlation at both binary and quantitative levels. Our prototype successfully detects all reproduced real-world attacks against sshd, libpcre, and sendmail. The detection procedure incurs 0.1 ms to 1.3 ms overhead to profile and analyze a single behavior instance that consists of tens of thousands of function call or system call events.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Log2vec: A Heterogeneous Graph Embedding Based Approach for Detecting Cyber Threats within Enterprise
Fucheng Liu,Yu Wen,Zhang Dongxue,Xihe Jiang,Xinyu Xing,Dan Meng +5 more
- 06 Nov 2019
TL;DR: This work proposes log2vec, a heterogeneous graph embedding based modularized method that remarkably outperforms state-of-the-art approaches, such as deep learning and hidden markov model (HMM), and shows its capability to detect malicious events in various attack scenarios.
261
Combining Graph-Based Learning With Automated Data Collection for Code Vulnerability Detection
Huanting Wang,Guixin Ye,Zhanyong Tang,Shin Hwei Tan,Songfang Huang,Dingyi Fang,Yansong Feng,Lizhong Bian,Zheng Wang +8 more
TL;DR: Funded leverages the advances in graph neural networks to develop a novel graph-based learning method to capture and reason about the program’s control, data, and call dependencies to identify software vulnerabilities at the function level from program source code.
UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats.
TL;DR: UNICORN is presented, an anomaly-based APT detector that effectively leverages data provenance analysis that outperforms an existing state-of-the-art APT detection system and detects real-life APT scenarios with high accuracy.
UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats
Xueyuan Han,Thomas Pasquier,Adam Bates,James Mickens,Margo Seltzer +4 more
- 23 Feb 2020
TL;DR: UNICORN as mentioned in this paper is an anomaly-based APT detector that effectively leverages data provenance analysis through extensive yet time-efficient graph analysis to identify stealthy anomalous activities without pre-defined attack signatures.
CONAN: A Practical Real-time APT Detection System with High Accuracy and Efficiency
Xiong Chunlin,Tiantian Zhu,Weihao Dong,Linqi Ruan,Runqing Yang,Yan Chen,Yueqiang Cheng,Shuai Cheng,Xutong Chen +8 more
TL;DR: A novel and accurate APT detection model that removes unnecessary phases and focuses on the remaining ones with improved definitions is proposed, and a state-based framework in which events are consumed as streams and each entity is represented in an FSA-like structure without storing historic data is proposed.
74
References
LIII. On lines and planes of closest fit to systems of points in space
TL;DR: This paper is concerned with the construction of planes of closest fit to systems of points in space and the relationships between these planes and the planes themselves.
An Intrusion-Detection Model
TL;DR: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described, based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage.
•Proceedings Article
Support Vector Method for Novelty Detection
Bernhard Schölkopf,Robert C. Williamson,Alexander J. Smola,John Shawe-Taylor,John Platt +4 more
- 29 Nov 1999
TL;DR: The algorithm is a natural extension of the support vector algorithm to the case of unlabelled data and is regularized by controlling the length of the weight vector in an associated feature space.
A sense of self for Unix processes
Stephanie Forrest,Steven Hofmeyr,Anil Somayaji,Thomas A. Longstaff +3 more
- 06 May 1996
TL;DR: A method for anomaly detection is introduced in which "normal" is defined by short-range correlations in a process' system calls, and initial experiments suggest that the definition is stable during normal behaviour for standard UNIX programs.
•Proceedings Article
Inferring internet denial-of-service activity
David Moore,Geoffrey M. Voelker,Stefan Savage +2 more
- 13 Aug 2001
TL;DR: This article presents a new technique, called “backscatter analysis,” that provides a conservative estimate of worldwide denial-of-service activity, and believes it is the first to provide quantitative estimates of Internet-wide denial- of- service activity.
1.4K