Kuperman, B. A. and Spafford, E. (1998). Generation of application level audit data via library interposition. In CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafayette.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....on the privilege level at which the process is running. Therefore, we set the report level to be of increasingly high priority when functions are being called by a regular user (EUIDo0, EUID=UID) or by a root process (EUID=0) and we collect the events whenever users change their privileges [6]. xlock Fivile ge r sr wr x UID I GID: user EUI: usey end xlock cker UiD :1use r C mck UiD . 2user GID: user GID: user Fig 1. An example of privilege change by buffer overflow attack 3 IDS based on privilege flows modeling Many intrusions are to obtain root authority. ....

Kuperman. B. A. and Eugene H. Spafiord, "Generation of application level audit data via library interposition", CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafaytte, IN, October 1998.

....(in some cases, an audit trail is the only place where some information can be obtained) Wrapper programs that interact with existing applications or utilities, and that try to observe their behavior by looking at their inputs and outputs. Wrapper libraries using library interposition [6]. Using this technique, calls to library functions can be intercepted, monitored, modi ed or even cancelled by the interposing library. This technique can detect a wide range of attacks, but it is limited because it can only look at the data available as arguments to each call. It cannot have ....

Benjamin A. Kuperman and Eugene H. Spafford. Generation of application level audit data via library interposition. CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafayette, IN, October 1998. URL https://www.cerias.purdue.edu/ techreports-ssl/public/99-11.ps.

....that component. For example, a program that uses the ps command [146] to obtain process information on a Unix system could be considered an external sensor. If the process information gathering component was built into the Unix kernel, it would be considered an internal sensor. A library wrapper [81] is considered as an external sensor because its code is separate from that of the program it monitors. According to our definitions, an internal sensor could also be built into hardware components; for example, in the firmware of a network interface card. Internal sensors are part of the source ....

....cases an audit trail is the only place where information can be obtained by an external sensor. Wrapper programs that interact with existing applications or utilities and try to observe their behavior by looking at their inputs and outputs. Wrapper libraries using library interposition [81]. Using this technique, calls to library functions can be intercepted, monitored, modified or even cancelled by the interposing library. This is a powerful technique that can detect a wide range of attacks, but it is limited because it can only look at the data available as arguments to each call ....

[Article contains additional citation context not shown here]

Benjamin A. Kuperman and Eugene H. Spafford. Generation of application level audit data via library interposition. CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafayette, Indiana, October 1998. URL https://www. cerias.purdue.edu/techreports-ssl/public/99-11.ps.

No context found.

Kuperman, B. A. and Spafford, E. (1998). Generation of application level audit data via library interposition. In CERIAS TR 99-11, COAST Laboratory, Purdue University, West Lafayette.

No context found.

Kuperman, B. A. and Spaord, E. (1999). Generation of Application Level Audit Data via Library Interposition. Technical Report TR-99-11, CERIAS.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC