Loading...
Please wait, while we are loading the content...
Similar Documents
Gray-box anomaly detection using system call monitoring (2007).
| Content Provider | CiteSeerX |
|---|---|
| Author | Gao, Debin |
| Abstract | Many host-based anomaly detection systems monitor a process by observing the system calls it makes, and comparing these calls to a model of normal behavior for the program that the process is executing. In this thesis we explore two novel approaches for constructing the normal behavior model for anomaly detection. We introduce execution graph, which is the first model that both requires no static analysis of the program source or binary, and conforms to the control flow graph of the program. When used as the model in an anomaly detection system monitoring system calls, it (i) accepts only system call sequences that are consistent with the control flow graph of the program; (ii) is maximal given a set of training data, meaning that any extensions to the execution graph could permit some intrusions to go undetected. We formalize and prove these claims, and evaluate the performance of an anomaly detector using execution graphs. Behavioral distance compares the behavior of a process to the behavior of another process that is executing on the same input but that either runs on a different operating system or runs a different program that has similar functionality. Assuming their diversity renders |
| File Format | |
| Publisher Date | 2007-01-01 |
| Access Restriction | Open |
| Subject Keyword | Control Flow Graph Similar Functionality Execution Graph Novel Approach Program Source Training Data Anomaly Detector Many Host-based Anomaly Detection System System Call Sequence Anomaly Detection Normal Behavior System Call Monitoring Different Operating System Diversity Render Gray-box Anomaly Detection Anomaly Detection System Static Analysis Behavioral Distance Different Program Normal Behavior Model First Model |
| Content Type | Text |
| Resource Type | Thesis |
