ABSTRACT
This tutorial will present an overview of program anomaly detection, which analyzes normal program behaviors and discovers aberrant executions caused by attacks, misconfigurations, program bugs, and unusual usage patterns. It was first introduced as an analogy between intrusion detection for programs and the immune mechanism in biology. Advanced models have been developed in the last decade and comprehensive techniques have been adopted such as hidden Markov model and machine learning. We will introduce the audience to the problem of program attacks and the anomaly detection approach against threats. We will give a general definition for program anomaly detection and derive model abstractions from the definition. The audience will be walked through the development of program anomaly detection methods from early-age n-gram approaches to complicated pushdown automata and probabilistic models. Some lab tools will be provided to help understand primitive detection models. This procedure will help the audience understand the objectives and challenges in designing program anomaly detection models. We will discuss the attacks that subvert anomaly detection mechanisms. The field map of program anomaly detection will be presented. We will also briefly discuss the applications of program anomaly detection in Internet of Things security. We expect the audience to get an idea of unsolved challenges in the field and develop a sense of future program anomaly detection directions after attending the tutorial.
- D. E. Denning. An intrusion-detection model. IEEE Transactions on Software Engineering, 13(2):222--232, 1987. Google ScholarDigital Library
- S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Security and Privacy, pages 120--128. IEEE Computer Society, 1996. Google ScholarDigital Library
- D. Gao, M. K. Reiter, and D. Song. Behavioral distance measurement using hidden Markov models. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses, pages 19--40. Springer, 2006. Google ScholarDigital Library
- H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang. Data-oriented programming: On the expressiveness of non-control data attacks. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 2016.Google ScholarCross Ref
- A. P. Kosoresow and S. A. Hofmeyr. Intrusion detection via system call traces. IEEE software, 14(5):35--42, 1997. Google ScholarDigital Library
- W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the USENIX Security Symposium, pages 6--6. USENIX Association, 1998. Google ScholarDigital Library
- R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In Proceedings of the IEEE Symposium on Security and Privacy, pages 144--155. IEEE Computer Society, 2001. Google ScholarDigital Library
- X. Shu, D. Yao, and N. Ramakrishnan. Unearthing stealthy program attacks buried in extremely long execution paths. In Proceedings of the 2015 ACM Conference on Computer and Communications Security (CCS), pages 401--413. ACM, October 2015. Google ScholarDigital Library
- X. Shu, D. Yao, and B. G. Ryder. A formal framework for program anomaly detection. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), pages 270--292. Springer, November 2015. Google ScholarDigital Library
- D. Wagner and R. Dean. Intrusion detection via static analysis. In Proceedings of the IEEE Symposium on Security and Privacy, pages 156--168. IEEE Computer Society, 2001. Google ScholarDigital Library
- C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In Proceedings of the IEEE Symposium on Security and Privacy, pages 133--145. IEEE Computer Society, 1999.Google ScholarCross Ref
- K. Xu, K. Tian, D. Yao, and B. G. Ryder. A sharper sense of self: Probabilistic reasoning of program behaviors for anomaly detection with context sensitivity. In Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, May 2016.Google ScholarCross Ref
- K. Xu, D. D. Yao, B. G. Ryder, and K. Tian. Probabilistic program modeling for high-precision anomaly classification. In Proceedings of the IEEE 28th Computer Security Foundations Symposium, pages 497--511. IEEE, July 2015. Google ScholarDigital Library
Index Terms
- Program Anomaly Detection: Methodology and Practices
Recommendations
A Formal Framework for Program Anomaly Detection
RAID 2015: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 9404Program anomaly detection analyzes normal program behaviors and discovers aberrant executions caused by attacks, misconfigurations, program bugs, and unusual usage patterns. The merit of program anomaly detection is its independence from attack ...
Specification-based anomaly detection: a new approach for detecting network intrusions
CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityUnlike signature or misuse based intrusion detection techniques, anomaly detection is capable of detecting novel attacks. However, the use of anomaly detection in practice is hampered by a high rate of false alarms. Specification-based techniques have ...
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks
In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...
Comments