Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry ￡ Attacks a.pdf

下载文档

4
0
约5.26万字
约 19页
2017-04-06 发布于江苏
举报
版权申诉
保障服务

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry ￡ Attacks a.pdf

1、本文档共19页，可阅读全部内容。
2、原创力文档（book118）网站文档一经付费（服务费），不意味着购买了该文档的版权，仅供个人/单位学习、研究之用，不得用于商业用途，未经授权，严禁复制、发行、汇编、翻译或者网络传播等，侵权必究。
3、本站所有内容均由合作方或网友上传，本站不对文档的完整性、权威性及其观点立场正确性做任何保证或承诺！文档内容仅供研究参考，付费前请自行鉴别。如您付费，意味着您自己接受本站规则且自行承担风险，本站不退款、不进行额外附加服务；查看《如何避免下载的几个坑》。如果您已付费下载过本站文档，您可以点击这里二次下载。
4、如文档侵犯商业秘密、侵犯著作权、侵犯人身权等，请点击“版权申诉”（推荐），也可以打举报电话：400-050-0827(电话支持时间：9:00-18:30)。

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry ￡ Attacks a

Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths Haizhi Xu, Wenliang Du, and Steve J. Chapin Systems Assurance Institute, Syracuse University, Syracuse NY 13244, USA hxu02, wedu, chapin @ Abstract. Many intrusions amplify rights or circumvent defenses by issuing sys- tem calls in ways that the original process did not. Defense against these attacks emphasizes preventing attacking code from being introduced to the system and detecting or preventing execution of the injected code. Another approach, where this paper fits in, is to assume that both injection and execution have occurred, and to detect and prevent the executing code from subverting the target system. We propose a method using waypoints: marks along the normal execution path that a process must follow to successfully access operating system services. Way- points actively log trustworthy context information as the program executes, al- lowing our anomaly monitor to both monitor control flow and restrict system call permissions to conform to the legitimate needs of application functions. We de- scribe our design and implementation of waypoints and present results showing that waypoint-based anomaly monitors can detect a subset of mimicry attacks and impossible paths. Keywords: anomaly detection, context sensitive, waypoint, control flow monitoring, mimicry attacks, impossible paths 1 Introduction Common remote attacks on computer systems have exploited implementation errors to inject code into running processes. Buffer overflow attacks are the best-known example of this type of attacks. For years, people have been working on preventing, detecting, and tolerating these attacks [1–13]. Despite these efforts, current systems are not secure. Attackers frequently find new vulnerabilities and quickly develop adaptive methods that circumvent security mechanisms. Host-based defense can take place at one of three stages: preventing code injection, preve