Detecting illegal system calls using a data-oriented detection model

Jonathan-Christofer Demay 1 Frédéric Majorczyk 2 Eric Totel 3 Frédéric Tronel 3
2 ADEPT - Algorithms for Dynamic Dependable Systems
IRISA - Institut de Recherche en Informatique et Systèmes Aléatoires, INRIA Rennes
3 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : The most common anomaly detection mechanisms at application level consist in detecting a deviation of the control-flow of a program. A popular method to detect such anomaly is the use of application sequences of system calls. However, such methods do not detect mimicry attacks or attacks against the integrity of the system call parameters. To enhance such detection mechanisms, we propose an approach to detect in the application the corruption of data items that have an influence on the system calls. This approach consists in building automatically a data-oriented behaviour model of an application by static analysis of its source code. The proposed approach is illustrated on various examples, and an injection method is experimented to obtain an approximation of the detection coverage of the generated mechanisms.
Document type :
Conference papers
Jan Camenisch; Simone Fischer-Hübner; Yuko Murayama; Armand Portmann; Carlos Rieder. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. Springer, IFIP Advances in Information and Communication Technology, AICT-354, pp.305-316, 2011, Future Challenges in Security and Privacy for Academia and Industry. 〈10.1007/978-3-642-21424-0_25〉
Liste complète des métadonnées

Cited literature [22 references]  Display  Hide  Download

https://hal-supelec.archives-ouvertes.fr/hal-00657971
Contributor : Anne Cloirec <>
Submitted on : Monday, January 9, 2012 - 3:51:53 PM
Last modification on : Tuesday, November 21, 2017 - 3:22:03 PM
Document(s) archivé(s) le : Monday, November 19, 2012 - 1:01:03 PM

File

ifipsec2011.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Jonathan-Christofer Demay, Frédéric Majorczyk, Eric Totel, Frédéric Tronel. Detecting illegal system calls using a data-oriented detection model. Jan Camenisch; Simone Fischer-Hübner; Yuko Murayama; Armand Portmann; Carlos Rieder. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. Springer, IFIP Advances in Information and Communication Technology, AICT-354, pp.305-316, 2011, Future Challenges in Security and Privacy for Academia and Industry. 〈10.1007/978-3-642-21424-0_25〉. 〈hal-00657971〉

Share

Metrics

Record views

572

Files downloads

162