By Topic

Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Peng Li ; Univ. of North Carolina at Chapel Hill, Chapel Hill, NC ; Hyundo Park ; Debin Gao ; Jianming Fu

Host-based anomaly detectors monitor the control-flow and data-flow behavior of system calls to detect intrusions. Control-flow-based detectors monitor the sequence of system calls, while data-flow-based detectors monitor the data propagation among arguments of system calls. Besides pointing out that data-flow-based detectors can be layered on top of control-flow-based ones (or vice versa) to improve accuracy, there is a large gap between the two research directions in that research along one direction had been fairly isolated and had not made good use of results from the other direction. In this paper, we show how data-flow analysis can leverage results from control-flow analysis to learn more accurate and useful rules for anomaly detection. Our results show that the proposed control-flow-analysis-aided data-flow analysis reveals some accurate and useful rules that cannot be learned in prior data-flow analysis techniques. These relations among system call arguments and return values are useful in detecting many real attacks. A trace-driven evaluation shows that the proposed technique enjoys low false-alarm rates and overhead when implemented on a production server.

Published in:

Computer Security Applications Conference, 2008. ACSAC 2008. Annual

Date of Conference:

8-12 Dec. 2008