Title :
BARLEY: Modelling program behavior with resource usage
Author_Institution :
Center for Secure Inf. Syst., George Mason Univ., Fairfax, VA, USA
Abstract :
Control flow graphs (CFG) have long been an effective and elegant way to represent program execution. In particular, many anomaly detection systems employ CFGs. Unfortunately, typical CFG-based systems rely on inaccurate or impractical heuristics. For example, the state space may be restricted by considering only a call graph, thus reducing accuracy and precision. In this paper, we combine control flow graphs with resource consumption information to more accurately model a program´s behavior during execution. Intuitively, this technique allows access to more information within each state, providing opportunities for more accurate decisions when considering anomalous behavior. Additionally, because we do not need as many states to represent an application´s execution, we can achieve lower overhead than existing CFG-based systems. We anticipate this technique can be used to detect jump-based return-oriented programming (ROP) attacks on the Linux platform.
Keywords :
Linux; flow graphs; security of data; BARLEY; CFG; Linux platform; ROP attacks; anomalous behavior; anomaly detection systems; call graph; control flow graphs; jump-based return-oriented programming attack detection; program behavior modelling; program execution; resource consumption information; resource usage; state space; Flow graphs; Malware; Monitoring; Programming; Radiation detectors;
Conference_Titel :
Dependable Systems and Networks Workshop (DSN-W), 2013 43rd Annual IEEE/IFIP Conference on
Conference_Location :
Budapest
DOI :
10.1109/DSNW.2013.6615519
