Using Common Log Information to Reveal Hidden Attack Manifestations
Report, 2007

We investigate how system call-based detection mechanisms can be made more resistant against mimicry attacks. We extend the information provided by the system call name with information regarding system call arguments, return values and identities of the users responsible for the calls, and we show that by adding this information, the attacker's options of constructing a successful attack are significantly reduced. In particular, the use of filler calls with arbitrary position, arguments and return values becomes increasingly difficult. For our investigation we use two system call-based detection algorithms, one distance-based and one sequence-based, which traditionally operates on system call name only. We then create two mimicry attacks which avoids detection by the original detectors but that are revealed when the extra information is used. The result of our investigation shows that by adding common log information to the detector, the attacker's options of constructing a successful attack decreases drastically, while the detection options increases.

Mimicry

manifestation

logging

detection

Author

Ulf Larson

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

Dennis Nilsson

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

Erland Jonsson

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

Subject Categories

Computer Engineering

Technical report - Department of Computer Science and Engineering, Chalmers University of Technology and Göteborg University: 2007:19

More information

Created

10/6/2017