Email this article A Software Behavior Automaton Model Based on System Call and Context
Abstract
According to the problems of high time overhead of capturing the system call context by walking the stack and inaccuracy of system call argument policies for traditional software behavior models, a software behavior automaton model based on system call and context is proposed.
First, data flow information containing system call argument policies is combined with software control flow and is used to anomaly detection of software behavior. Second, a new approach of context value for capturing system call context with accuracy and low time overhead is proposed. Third, system call argument context based on system call context is introduced and system call argument policies based on context including system call context and system call argument context are presented. The experimental results show that the software behavior automaton model based on system call and context can capture the system call context accurately with low time overhead, can describe system call argument policies precisely, and can well detect the anomaly of software behavior based on control flow and data flow.Keywords
References
[1] M. D. Bond and K. S. McKinley, “Probabilistic calling context,” Proceedings of Object-Oriented Programming Systems, Languages, and Applications, Montreal, Canada, October 2007, pp. 97–112, doi:10.1145/1297027.1297035.
[2] F. Tao, Z. Y. Yin, and J. M. Fu, “Software behavior model based on system calls,” Computer Science, vol. 37, pp. 151–157, 2010. (in Chinese)
[3] S. Forrest, S. Hofmeyr, A. Somayaji, and T. A. Longstaff, “A sense of self for Unix processes”, Proceedings of IEEE Symp. Security and Privacy, IEEE Computer Society, Washington DC, USA, 1996, pp. 120–128, doi:10.1109/SECPRI.1996.502675.
[4] S. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion detection using sequences of system calls,” Journal of Computer Security, vol. 6, pp. 151–180, 1998.
[5] D. Wagner and D. Dean, “Intrusion detection via static analysis,” Proceedings of IEEE Symp. Security and Privacy, IEEE Computer Society, Washington DC, USA, 2001, pp. 156–169, doi:10.1109/SECPRI.2001.924296.
[6] H. H. Feng, O. M. Kolesnikov, P. Fogla, W. Lee, and W. Gong, “Anomaly detection using call stack information,” Proceedings of IEEE Symp. Security and Privacy, IEEE Computer Society, Washington DC, USA, 2003, pp. 62–75, doi:10.1109/SECPRI.2003.1199328.
[7] Z. Liu, S. M. Bridges, and R. B. Vaughn, “Combining static analysis and dynamic learning to build accurate intrusion detection models,” Proceedings of the 3rd IEEE International Workshop on Information Assurance, College Park, MD, USA, March 2005, pp. 164–177, doi:10.1109/IWIA.2005.6.
[8] W. Li, Y. X. Dai, Y. F. Lian, and P. H. Feng, “Context sensitive host-Based IDS using hybrid automaton,” Journal of Software, vol. 20, pp. 138–151, 2009. (in Chinese)
doi:10.3724/SP.J.1001.2009.00138
[9] A. Frossi, F. Maggi, G. L. Rizzo, and S. Zanero, “Selecting and improving system call models for anomaly detection,” Proceedings of the 6th Detection of Intrusions and Malware, and Vulnerability Assessment, Como, Italy, 2009, pp. 206–223, doi:10.1007/978-3-642-02918-9_13.
doi:10.1007/978-3-642-02918-9_13
[10] J. M. Spivey, “Fast, accurate call graph profiling,” Software-Practice and Experience, vol. 34, pp. 249–264, 2004.
doi:10.1002/spe.562
[11] X. Zhuang, M. J. Serrano, H. W. Cain, and J. D. Choi, “Accurate, efficient, and adaptive calling context profiling,” Proceedings of ACM Conference on Programming Language Design and Implementation, Ottawa, Ontario, Canada, 2006, pp. 263–271, doi:10.1145/1133981.1134012.
doi:10.1145/1133981.1134012
[12] M. Mitzenmacher and E. Upfal, Probability and Computing: Randomized Algorithms and Probabilistic Analysis. New York: Cambridge University Press, 2005.
[13] J. Olbrantz, Inside MoPaQ, http://shadowflare.samods.org/inside_mopaq/chapter2.htm#hashes, 2002.
[14] Red Hat Security: Updated kon2 packages fix buffer overflow, http://rhn.redhat.com/errata/RHSA-2003-047.html, 2003.
[15] S. Chen, J. Xu, E. C.Sezer, P. Gauriar, and R. K. Iyer. “Non-control-data attacks are realistic threats,” Proceedings of the 14th Conference on USENIX Security Symposium, Baltimore, MD, 2005, pp. 177–192, doi:10.1.1.113.5408.
[16] Ghttpd Log() Function Buffer Overflow Vulnerability. http://www.securityfocus.com/bid/5960:SecurityFocus, 2002.
[17] H. Chen, D. Dean, and D. Wagner, “Model checking one million lines of C code,” Proceedings of Network and Distributed System Security Symposium, San Diego, CA, Feb. 2004, pp. 171–185, doi:10.1.1.3.1535.
[18] J. P. Wei and C. Pu, “TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study,” Proceedings of the 4th USENIX Conference on File and Storage Technologies, San Francisco, CA, Dec. 2005, pp. 155–167.
Full Text: PDF