Analysis of Computer Intrusions Using Sequences of Function Calls

Analysis of Computer Intrusions Using Sequences of Function Calls (2006)

Cached

Download Links

Other Repositories/Bibliography

DBLP

by Sean Peisert , Matt Bishop , Sidney Karin , Keith Marzullo

Venue:	IEEE Transactions on Dependable and Secure Computing (TDSC
Citations:	13 - 11 self

BibTeX

@INPROCEEDINGS{Peisert06analysisof,
    author = {Sean Peisert and Matt Bishop and Sidney Karin and Keith Marzullo},
    title = {Analysis of Computer Intrusions Using Sequences of Function Calls},
    booktitle = {IEEE Transactions on Dependable and Secure Computing (TDSC},
    year = {2006},
    publisher = {}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

Abstract—This paper demonstrates the value of analyzing sequences of function calls for forensic analysis. Although this approach has been used for intrusion detection (that is, determining that a system has been attacked), its value in isolating the cause and effects of the attack has not previously been shown. We also look for not only the presence of unexpected events but also the absence of expected events. We tested these techniques using reconstructed exploits in su, ssh, and lpr, as well as proof-of-concept code, and, in all cases, were able to detect the anomaly and the nature of the vulnerability.

Citations

388	Enforceable security policies - Schneider - 2000
363	An intrusion-detection model - Denning - 1987
342	Constructive Analysis - Bishop, Bridges - 1985
279	Detecting intrusions using system calls: Alternative data models - Warrender, Forrest, et al. - 1999
277	ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay - Dunlap, King, et al. - 2002
266	Data mining approaches for intrusion detection - Lee, Stolfo - 1998
245	Intrusion Detection Using Sequences of System Calls - Hofmeyr, Forrest, et al. - 1998
245	D (2001) Intrusion detection via static analysis - Wagner, Dean
237	Computer Security Threat Monitoring and Surveillance - Anderson
217	Improving host security with system call policies - Provos - 2003
200	Computer Security: Art and Science - Bishop - 2002
159	Backtracking intrusions - King, Chen - 2005
158	P (2002) Mimicry attacks on host-based intrusion detection systems. In: CCS’02: proc of the 9th ACM conf on comp and comm security - Wagner, Soto
154	Computer security technology planning study - Anderson - 1972
138	A fast automatonbased method for detecting anomalous program behaviors - SEKAR, BENDRE, et al.
137	A ”flight data recorder” for enabling full-system multiprocessor deterministic replay - XU, BODIK, et al.
119	Checking for race conditions in file accesses - Bishop, Dilger - 1996
102	BugNet: Continuously recording program execution for deterministic replay debugging - Narayanasamy, Pokam, et al. - 2005
94	Secure Audit Logs to Support Computer Forensics - Schneier, Kelsey - 1999
74	Detection of anomalous computer session activity - Vaccaro, Liepins
71	Efficient Context-Sensitive Intrusion Detection - Giffin, Jha, et al. - 2004
69	B.: Formalizing Sensitivity in Static Analysis for Intrusion Detection - Feng, Giffin, et al. - 2004
62	Intrusion detection - Bace - 2000
59	Artificial intelligence and intrusion detection: Current and future directions - Frank - 1994
52	Intrusion Detection Using Variable-Length Audit Trail Patterns - Wespi, Dacier, et al. - 2000
51	R.: ”Why 6?” Defining the operational limits of stide, an anomaly-based intrusion detector - Tan, Maxion - 2002
50	F.B.: Computability classes for enforcement mechanisms - Hamlen, Morrisett, et al. - 2006
43	Security Analysis and Enhancements of Computer Operating Systems - Abbott
41	Flexible Containment Mechanism for Executing Untrusted Code - Peterson, Bishop, et al. - 2002
38	Operating System Stability and Security through Process Homeostasis - SOMAYAJI - 2002
36	Enriching intrusion alerts through multi-host causality - King, Mao, et al. - 2005
35	Smashing the stack for fun and - One - 1997
29	Anomalous System Call Detection - MUTZ, VALEUR, et al. - 2006
27	Context sensitive anomaly monitoring of process control flow to detect mimicry attacks and impossible paths - Xu, Du, et al. - 2004
24	A Standard Audit Trail Format - Bishop - 1995
24	Intrusion Detection Systems as Evidence - Sommer - 1999
24	S.: Modeling system calls for intrusion detection with dynamic window sizes - Eskin, Lee, et al.
24	Masquerade detection using enriched command lines - Maxion
23	Forensix: A Robust, High-Performance Reconstruction System - Goel, WC, et al. - 2005
17	A Sense of Self for Unix - Forrest, Hofmeyr, et al. - 1996
17	A Categorization of Computer Security Monitoring Systems and the Impact on the Design of Audit Sources - Kuperman - 2004
16	Engineering fault-tolerant tcp/ip servers using ft-tcp - Zagorodnov, Marzullo, et al. - 2003
15	Principles-driven forensic analysis - Peisert, Karin, et al. - 2005
14	Anomaly Intrusion Detection in Dynamic Execution Environments - Inoue
12	A Model of Security Monitoring - Bishop - 1989
12	Traps and Pitfalls - Garfinkel - 2003
10	The application of intrusion detection systems in a forensic environment. Paper presented at the Recent - Stephenson - 2000
10	The Insider Problem Revisited - Bishop - 2005
9	Forensic Analysis of File System Intrusions using Improved Backtracking - Sitaraman, Venkatesan - 2005
9	Computer security evaluation - NEUMANN - 1978