Live system call traces provide essential information in analyzing modern malware. Prior work demonstrated how system call traces can be used to differentiate benign from malicious applications. For example, ransomware invokes file system API to remove users’ access to their sensitive data, and asks for a ransom to restore the access privileges. Unfortunately, current methods and tools focus on offline reconstruction using memory dumps of the entire system. While it is possible to use such methods in live analysis by pausing execution and tracking system calls, it severely hinders the system performance. In this paper, we present the design and implementation of our method to trace system calls in Linux-based systems. We show how using our...
Abstract. System monitoring tools serve to provide operators and developers with an insight into sys...
Beginning with the work of Forrest et al, several researchers have developed intrusion detection tec...
The post-mortem state of a compromised system may not contain enough evidence regarding what transpi...
Several tools for program tracing and introspection exist. These tools can be used to analyze potent...
This paper shows how system call traces can be obtained with minimal interference to the system bein...
Detecting anomalies in the behavior of a computer system is crucial for determining its security. On...
Dynamic malware analysis aims at revealing malware’s runtime behavior. To evade analysis, advanced m...
In contrast to most benign applications, malware infects its host system. It does so via system-wide...
Dynamic kernel memory is difficult to analyze due to its volatile status; numerous kernel objects ar...
Abstract—To handle the growing flood of malware, security vendors and analysts rely on tools that au...
Models based on system calls are a popular and common approach to characterize the run-time behavior...
Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successful...
We present a novel method to trace the propagation of intrusions or malicious code in networked syst...
Advancements in malware development, including the use of file-less and memory-only payloads, have l...
Abstract—To improve software dependability, a large number of software engineering tools have been d...
Abstract. System monitoring tools serve to provide operators and developers with an insight into sys...
Beginning with the work of Forrest et al, several researchers have developed intrusion detection tec...
The post-mortem state of a compromised system may not contain enough evidence regarding what transpi...
Several tools for program tracing and introspection exist. These tools can be used to analyze potent...
This paper shows how system call traces can be obtained with minimal interference to the system bein...
Detecting anomalies in the behavior of a computer system is crucial for determining its security. On...
Dynamic malware analysis aims at revealing malware’s runtime behavior. To evade analysis, advanced m...
In contrast to most benign applications, malware infects its host system. It does so via system-wide...
Dynamic kernel memory is difficult to analyze due to its volatile status; numerous kernel objects ar...
Abstract—To handle the growing flood of malware, security vendors and analysts rely on tools that au...
Models based on system calls are a popular and common approach to characterize the run-time behavior...
Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successful...
We present a novel method to trace the propagation of intrusions or malicious code in networked syst...
Advancements in malware development, including the use of file-less and memory-only payloads, have l...
Abstract—To improve software dependability, a large number of software engineering tools have been d...
Abstract. System monitoring tools serve to provide operators and developers with an insight into sys...
Beginning with the work of Forrest et al, several researchers have developed intrusion detection tec...
The post-mortem state of a compromised system may not contain enough evidence regarding what transpi...