TY - JOUR
T1 - Long-span program behavior modeling and attack detection
AU - Shu, Xiaokui
AU - Yao, Danfeng
AU - Ramakrishnan, Naren
AU - Jaeger, Trent
N1 - Funding Information:
This work has been supported by ONR grant N00014-13-1-0016, AFRL and DARPA grant FA8650-15-C-7561, ARO YIP W911NF-14-1-0535, ARL W911NF-13-2-0045, and Army Research Laboratory W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on. A preliminary version of the work appeared in the Proceedings of the 2015 ACM Conference on Computer and Communications Security (CCS) [53]. Authors’ addresses: X. Shu, 1101 Kitchawan Rd, Yorktown Heights, NY 10598; email: xiaokui.shu@ibm.com; D. (Daphne) Yao, 2202 Kraft Drive, Blacksburg, VA 24060; email: danfeng@vt.edu; N. Ramakrishnan, VTRC-Arlington, Room 5-026, 900 North Glebe Road, Arlington, VA 22203; email: naren@cs.vt.edu; T. Jaeger, 346A IST Building, University Park, PA 16802; email: tjaeger@cse.psu.edu. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. 2017 Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 2471-2566/2017/09-ART12 $15.00 https://doi.org/10.1145/3105761
PY - 2017/9
Y1 - 2017/9
N2 - Intertwined developments between program attacks and defenses witness the evolution of program anomaly detection methods. Emerging categories of program attacks, e.g., non-control data attacks and data-oriented programming, are able to comply with normal trace patterns at local views. This article points out the deficiency of existing program anomaly detection models against new attacks and presents long-span behavior anomaly detection (LAD), a model based on mildly context-sensitive grammar verification. The key feature of LAD is its reasoning of correlations among arbitrary events that occurred in long program traces. It extends existing correlation analysis between events at a stack snapshot, e.g., paired call and ret, to correlation analysis among events that historically occurred during the execution. The proposed method leverages specialized machine learning techniques to probe normal program behavior boundaries in vast high-dimensional detection space. Its two-stage modeling/detection design analyzes event correlation at both binary and quantitative levels. Our prototype successfully detects all reproduced real-world attacks against sshd, libpcre, and sendmail. The detection procedure incurs 0.1 ms to 1.3 ms overhead to profile and analyze a single behavior instance that consists of tens of thousands of function call or system call events. 2017 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
AB - Intertwined developments between program attacks and defenses witness the evolution of program anomaly detection methods. Emerging categories of program attacks, e.g., non-control data attacks and data-oriented programming, are able to comply with normal trace patterns at local views. This article points out the deficiency of existing program anomaly detection models against new attacks and presents long-span behavior anomaly detection (LAD), a model based on mildly context-sensitive grammar verification. The key feature of LAD is its reasoning of correlations among arbitrary events that occurred in long program traces. It extends existing correlation analysis between events at a stack snapshot, e.g., paired call and ret, to correlation analysis among events that historically occurred during the execution. The proposed method leverages specialized machine learning techniques to probe normal program behavior boundaries in vast high-dimensional detection space. Its two-stage modeling/detection design analyzes event correlation at both binary and quantitative levels. Our prototype successfully detects all reproduced real-world attacks against sshd, libpcre, and sendmail. The detection procedure incurs 0.1 ms to 1.3 ms overhead to profile and analyze a single behavior instance that consists of tens of thousands of function call or system call events. 2017 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
UR - http://www.scopus.com/inward/record.url?scp=85030228904&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85030228904&partnerID=8YFLogxK
U2 - 10.1145/3105761
DO - 10.1145/3105761
M3 - Article
AN - SCOPUS:85030228904
VL - 20
JO - ACM Transactions on Privacy and Security
JF - ACM Transactions on Privacy and Security
SN - 2471-2566
IS - 4
M1 - 12
ER -