Many host-based anomaly detection systems monitor a process by observing the system calls it makes, and comparing these calls to a model of behavior for the program that the process should be executing. In this paper we introduce a new model of system call behavior, called an execution graph. The execution graph is the first such model that both requires no static analysis of the program source or binary, and conforms to the control flow graph of the program. When used as the model in an anomaly detection system monitoring system calls, it offers two strong properties: (i) it accepts only system call sequences that are consistent with the control flow graph of the program; (ii) it is maximal given a set of training data, meaning that any ex...
Intrusion detection is a critical component of security information systems. The intrusion detection...
At present it is almost impossible to detect zero day attack with help of supervised anomaly detecti...
Existing techniques used for anomaly detection do not fully utilize the intrinsic properties of embe...
Many host-based anomaly detection systems monitor a process by observing the system calls it makes, ...
Many host-based anomaly detection systems monitor a process ostensibly running a known program by ob...
Many host-based anomaly detection systems monitor a process ostensibly running a known program by ob...
Program anomaly detection — modeling normal program executions to detect deviations at runtime as cu...
Modern computer systems are plagued with security flaws, making them vulnerable to various malicious...
this paper presents a novel anomaly detection approach that takes into account the information conta...
Modern stealthy exploits can achieve attack goals without introducing illegal control flows, e.g., t...
Traditionally, analysis of malicious software is only a semi-automated process, often requiring a sk...
Beginning with the work of Forrest et al, several researchers have developed intrusion detection tec...
With the increase of network virtualization and the disparity of vendors, the continuous monitoring ...
As distributed computations become more and more common in highly distributed environments like the ...
Analyzing the executions of a buggy program is essentially a data mining process: Tracing the data g...
Intrusion detection is a critical component of security information systems. The intrusion detection...
At present it is almost impossible to detect zero day attack with help of supervised anomaly detecti...
Existing techniques used for anomaly detection do not fully utilize the intrinsic properties of embe...
Many host-based anomaly detection systems monitor a process by observing the system calls it makes, ...
Many host-based anomaly detection systems monitor a process ostensibly running a known program by ob...
Many host-based anomaly detection systems monitor a process ostensibly running a known program by ob...
Program anomaly detection — modeling normal program executions to detect deviations at runtime as cu...
Modern computer systems are plagued with security flaws, making them vulnerable to various malicious...
this paper presents a novel anomaly detection approach that takes into account the information conta...
Modern stealthy exploits can achieve attack goals without introducing illegal control flows, e.g., t...
Traditionally, analysis of malicious software is only a semi-automated process, often requiring a sk...
Beginning with the work of Forrest et al, several researchers have developed intrusion detection tec...
With the increase of network virtualization and the disparity of vendors, the continuous monitoring ...
As distributed computations become more and more common in highly distributed environments like the ...
Analyzing the executions of a buggy program is essentially a data mining process: Tracing the data g...
Intrusion detection is a critical component of security information systems. The intrusion detection...
At present it is almost impossible to detect zero day attack with help of supervised anomaly detecti...
Existing techniques used for anomaly detection do not fully utilize the intrinsic properties of embe...