Anomaly detection using call stack information

Author

Feng, Henry Hanping ; Kolesnikov, Oleg M. ; Fogla, Prahlad ; Lee, Wenke ; Gong, Weibo

Author_Institution

Dept. of Electr. & Comput. Eng., Univ. of Massachusetts, Amherst, MA, USA

fYear

2003

fDate

11-14 May 2003

Firstpage

62

Lastpage

75

Abstract

The call stack of a program execution can be a very good information source for intrusion detection. There is no prior work on dynamically extracting information from the call stack and effectively using it to detect exploits. In this paper we propose a new method to do anomaly detection using call stack information. The basic idea is to extract return addresses from the call stack, and generate an abstract execution path between two program execution points. Experiments show that our method can detect some attacks that cannot be detected by other approaches, while its convergence and false positive performance is comparable to or better than the other approaches. We compare our method with other approaches by analyzing their underlying principles and thus achieve a better characterization of their performance, in particular on what and why attacks will be missed by the various approaches.

Keywords

invasive software; program diagnostics; abstract execution path; anomaly detection; attacks; call stack information; convergence; extract return addresses; false positive performance; intrusion detection; program execution; program execution points; Automata; Automatic generation control; Computerized monitoring; Convergence; Counting circuits; Data mining; Educational institutions; Intrusion detection; Performance analysis; Runtime;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy, 2003. Proceedings. 2003 Symposium on

ISSN

1081-6011

Print_ISBN

0-7695-1940-7

Type

conf

DOI

10.1109/SECPRI.2003.1199328

Filename

1199328