Using system call information to reveal hidden attack manifestations

Author

Larson, Ulf E. ; Nilsson, Dennis K. ; Jonsson, Erland ; Lindskog, Stefan

Author_Institution

Dept. of Comput. Sci. & Eng., Chalmers Univ. of Technol., Goteborg, Sweden

fYear

2009

fDate

20-22 May 2009

Firstpage

1

Lastpage

8

Abstract

We investigate how system call-based intrusion detectors can be made more resistant against mimicry attacks. We show that by including extra information such as system call arguments, return values, and identity of the user responsible for the calls, the attacker´s options of constructing successful attacks are significantly reduced, in particular with respect to the use of no-op system calls. For our investigation, we add extra information to two system call-based detection algorithms-one distance-based and one sequence-based-that normally operate on system call names only. We then create two mimicry attacks which avoid detection by the original detectors but are revealed when the extra information is used. Our investigation shows that by providing the extra information to the detector the attacker´s options of constructing successful and undetected attacks decreases drastically.

Keywords

security of data; attackers options; call arguments system; extra information; hidden attack manifestations; intrusion detectors; mimicry attacks; system call information; Computers; Databases; Detection algorithms; Detectors; Linux; Partitioning algorithms; Radiation detectors;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Communication Networks (IWSCN), 2009 Proceedings of the 1st International Workshop on

Conference_Location

Trondheim

Print_ISBN

978-1-61284-168-7

Electronic_ISBN

978-82-997105-1-0

Type

conf

Filename

5683048