Using Common Log Information to Reveal Hidden Attack Manifestations

Rapport, 2007

We investigate how system call-based detection mechanisms can be made more resistant against mimicry attacks. We extend the information provided by the system call name with information regarding system call arguments, return values and identities of the users responsible for the calls, and we show that by adding this information, the attacker's options of constructing a successful attack are significantly reduced. In particular, the use of filler calls with arbitrary position, arguments and return values becomes increasingly difficult. For our investigation we use two system call-based detection algorithms, one distance-based and one sequence-based, which traditionally operates on system call name only. We then create two mimicry attacks which avoids detection by the original detectors but that are revealed when the extra information is used. The result of our investigation shows that by adding common log information to the detector, the attacker's options of constructing a successful attack decreases drastically, while the detection options increases.