Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths Export

@incollection{citeulike:2943800, abstract = {Many intrusions amplify rights or circumvent defenses by issuing system calls in ways that the original process did not. Defense against these attacks emphasizes preventing attacking code from being introduced to the system and detecting or preventing execution of the injected code. Another approach, where this paper fits in, is to assume that both injection and execution have occurred, and to detect and prevent the executing code from subverting the target system. We propose a method using waypoints: marks along the normal execution path that a process must follow to successfully access operating system services. Waypoints actively log trustworthy context information as the program executes, allowing our anomaly monitor to both monitor control flow and restrict system call permissions to conform to the legitimate needs of application functions. We describe our design and implementation of waypoints and present results showing that waypoint-based anomaly monitors can detect a subset of mimicry attacks and impossible paths. Keywords: anomaly detection, context sensitive, waypoint, control flow monitoring, mimicry attacks, impossible paths}, author = {Xu, Haizhi and Du, Wenliang and Chapin, Steve J.}, citeulike-article-id = {2943800}, citeulike-linkout-0 = {http://www.springerlink.com/content/jbtv9j1jdd1gpjuc}, journal = {Recent Advances in Intrusion Detection}, pages = {21--38}, posted-at = {2009-09-29 16:12:08}, priority = {2}, title = {Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths}, url = {http://www.springerlink.com/content/jbtv9j1jdd1gpjuc}, year = {2004} }

TY - CHAP ID - citeulike:2943800 L3 - citeulike-article-id:2943800 N2 - Many intrusions amplify rights or circumvent defenses by issuing system calls in ways that the original process did not. Defense against these attacks emphasizes preventing attacking code from being introduced to the system and detecting or preventing execution of the injected code. Another approach, where this paper fits in, is to assume that both injection and execution have occurred, and to detect and prevent the executing code from subverting the target system. We propose a method using waypoints: marks along the normal execution path that a process must follow to successfully access operating system services. Waypoints actively log trustworthy context information as the program executes, allowing our anomaly monitor to both monitor control flow and restrict system call permissions to conform to the legitimate needs of application functions. We describe our design and implementation of waypoints and present results showing that waypoint-based anomaly monitors can detect a subset of mimicry attacks and impossible paths. Keywords: anomaly detection, context sensitive, waypoint, control flow monitoring, mimicry attacks, impossible paths JF - Recent Advances in Intrusion Detection EP - 38 TI - Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths SP - 21 AU - Xu, Haizhi AU - Du, Wenliang AU - Chapin, Steve PY - 2004/// UR - http://www.springerlink.com/content/jbtv9j1jdd1gpjuc ER -