Anomaly detection using call stack information

被引:126
作者
Feng, HHP [1 ]
Kolesnikov, OM [1 ]
Fogla, P [1 ]
Lee, WK [1 ]
Gong, WB [1 ]
机构
[1] Univ Massachusetts, Dept Elect & Comp Engn, Amherst, MA 01003 USA
来源
2003 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, PROCEEDINGS | 2003年
关键词
D O I
10.1109/SECPRI.2003.1199328
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
The call stack of a program execution can be a very good information source for intrusion detection. There is no prior work on dynamically extracting information from call stack and effectively using it to detect exploits. In this paper we propose a new method to do anomaly detection using call stack information. The basic idea is to extract return addresses from the call stack , and generate abstract execution path between two program execution points. Experiments show that our method can detect some attacks that cannot be detected by other approaches, while its convergence and false positive performance is comparable to or better than the other approaches. We compare our method with other approaches by analyzing their underlying principles and thus achieve a better characterization of their performance, in particular on what and why attacks will be missed by the various approaches.
引用
收藏
页码:62 / 75
页数:14
相关论文
共 20 条
[1]  
[Anonymous], 7 USENIX SEC S SAN A
[2]  
ASHCRAFT K, 2002, IEEE S SEC PRIV OAKL
[3]  
Cowan C., 1998, 7 USENIX SEC S SAN A
[4]  
COWAN C, 2000, DARPA INF SURV C EXP
[5]  
FLORATOS A, 1998, 98A000290 IBM
[6]   A sense of self for unix processes [J].
Forrest, S ;
Hofmeyr, SA ;
Somayaji, A ;
Longstaff, TA .
1996 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, PROCEEDINGS, 1996, :120-128
[7]  
Ghosh AK, 1999, USENIX ASSOCIATION PROCEEDINGS OF THE EIGHTH USENIX SECURITY SYMPOSIUM (SECURITY '99), P141
[8]  
GIFFIN JT, 2002, 11 USENIX SEC S
[9]  
Hofmeyr S. A., 1998, Journal of Computer Security, V6, P151
[10]  
Ko C., 1994, Proceedings. 10th Annual Computer Security Applications Conference (Cat. No.94TH8032), P134, DOI 10.1109/CSAC.1994.367313
12