System Call Monitoring Using Authenticated System Calls

The intended data-flow in a vulnerable program is subject to be subverted by attacks which exploit buffer overflows or format string vulnerabilities to write data to unintended location. In Mobile Telecommunication it is especially important on data safety. These attacks can be classified into two types: control-flow-attacks exploit buffer overflows or other vulnerabilities to overwrite a return address, a function pointer, or some other piece of control-data; non-control-data attacks exploit similar vulnerabilities to overwrite security critical data without subverting the intended control-flow in the program. The control-flow attacks are well studied and widely used, so there are several typical approaches to prevent them, which monitor the sequence of system calls emitted by the application being monitored and utilize control-flow information of the system calls for intrusion detection. However, the non-control-data attacks are rare for the reason that they rely on specific semantics of the target applications, and there are only few works that defend them to some extent. In order to prevent non-control-data attacks, we leverage dynamic taint technique to track the instruction level relationship between different system call arguments and construct taint graph which can represent behavior profile of a benign program in this paper..

Download Full-text

Intrusion Detection Based on Self-Organizing Map and Artificial Immunisation Algorithm

Key Engineering Materials ◽

10.4028/www.scientific.net/kem.439-440.29 ◽

2010 ◽

Vol 439-440 ◽

pp. 29-34 ◽

Cited By ~ 1

Author(s):

Zhen Guo Chen ◽

Guang Hua Zhang ◽

Li Qin Tian ◽

Zi Lin Geng

Keyword(s):

Intrusion Detection ◽

Computer Security ◽

Real World ◽

User Behavior ◽

Experimental Result ◽

System Call ◽

Self Organizing Map ◽

System Calls ◽

Real World Datasets ◽

Self Organizing

The rate of false positives which caused by the variability of environment and user behavior limits the applications of intrusion detecting system in real world. Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer security in recent years. To solve the intrusion detection question, we introduce the self-organizing map and artificial immunisation algorithm into intrusion detection. In this paper, we give an method of rule extraction based on self-organizing map and artificial immunisation algorithm and used in intrusion detection. After illustrating our model with a representative dataset and applying it to the real-world datasets MIT lpr system calls. The experimental result shown that We propose an idea of learning different representations for system call arguments. Results indicate that this information can be effectively used for detecting more attacks with reasonable space and time overhead. So our experiment is feasible and effective that using in intrusion detection.

Download Full-text

Mal-Netminer: Malware Classification Approach Based on Social Network Analysis of System Call Graph

Mathematical Problems in Engineering ◽

10.1155/2015/769624 ◽

2015 ◽

Vol 2015 ◽

pp. 1-20 ◽

Cited By ~ 5

Author(s):

Jae-wook Jang ◽

Jiyoung Woo ◽

Aziz Mohaisen ◽

Jaesung Yun ◽

Huy Kang Kim

Keyword(s):

Social Network ◽

Social Network Analysis ◽

Network Analysis ◽

Clustering Coefficient ◽

Component Ratio ◽

System Call ◽

Degree Centrality ◽

Call Graph ◽

System Calls ◽

Graph Metrics

As the security landscape evolves over time, where thousands of species of malicious codes are seen every day, antivirus vendors strive to detect and classify malware families for efficient and effective responses against malware campaigns. To enrich this effort and by capitalizing on ideas from the social network analysis domain, we build a tool that can help classify malware families using features driven from the graph structure of their system calls. To achieve that, we first construct a system call graph that consists of system calls found in the execution of the individual malware families. To explore distinguishing features of various malware species, we study social network properties as applied to the call graph, including the degree distribution, degree centrality, average distance, clustering coefficient, network density, and component ratio. We utilize features driven from those properties to build a classifier for malware families. Our experimental results show that “influence-based” graph metrics such as the degree centrality are effective for classifying malware, whereas the general structural metrics of malware are less effective for classifying malware. Our experiments demonstrate that the proposed system performs well in detecting and classifying malware families within each malware class with accuracy greater than 96%.

Download Full-text

Testing Platform Invoke as a Tool for Shellcode Injection in Windows Applications

Journal of Physics Conference Series ◽

10.1088/1742-6596/2096/1/012048 ◽

2021 ◽

Vol 2096 (1) ◽

pp. 012048

Author(s):

V K Fedorov ◽

E G Balenko ◽

N V Gololobov ◽

K E Izrailov

Keyword(s):

Binary Code ◽

Source Code ◽

Malicious Code ◽

System Call ◽

System Calls ◽

Injection Methods ◽

Windows Applications ◽

Control Modules ◽

Analysis Models ◽

Software Attacks

Abstract This paper investigates software attacks based on shellcode injection in Windows applications. The attack uses platform invoke to inject binary code by means of system calls. This creates a separate threat that carries the payload. The paper overviews protections against shellcode injection and thus analyzes the injection methods as well. Analysis models the injection of malicious code in a Windows app process. As a result, the paper proposes a step-by-step injection method. Experimental injection of user code in PowerShell is performed to test the method. The paper further shows the assembly code of the system call as an example of finding their IDs in the global system call table; it also shows part of the source code for the injection of binary executable code. Various counterattacks are proposed in the form of software control modules based on architecture drivers. The paper analyzes the feasibility of using dynamic invoke, which the authors plan to do later on.

Download Full-text

Behavioral analysis of malicious code through network traffic and system call monitoring

10.1117/12.883457 ◽

2011 ◽

Cited By ~ 6

Author(s):

André R. A. Grégio ◽

Dario S. Fernandes Filho ◽

Vitor M. Afonso ◽

Rafael D. C. Santos ◽

Mario Jino ◽

...

Keyword(s):

Network Traffic ◽

Malicious Code ◽

Behavioral Analysis ◽

System Call ◽

Call Monitoring

Download Full-text

Design of IPC and System Calls for Multi-Process Micro-Kernel Embedded OS on ARM

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.347-350.1264 ◽

2013 ◽

Vol 347-350 ◽

pp. 1264-1267

Author(s):

Bo Qu

Keyword(s):

Message Passing ◽

System Call ◽

Embedded Operating System ◽

Tool Chain ◽

Process Communication ◽

Embedded Os ◽

Design And Implementation ◽

System Calls ◽

Technical Details ◽

Inter Process Communication

This paper describes the design and implementation of IPC (Inter-Process Communication) and system calls for an embedded OS in technical details, including the overview of micro-kernel OS, mechanism of inter-process communication, and implementation of message passing as well as system calls upon it. The IPC and system calls are designed for the ARM based multi-process micro-kernel embedded operating system developed by the author of this paper on Linux platform with GNU tool chain. The design of the system call service function to create a child process identical to the parent, do_fork (), is provided as an example. Practices prove that multi-process micro-kernel mechanism is technically feasible on embedded machines.

Download Full-text

Research on File System Event Monitoring in Android Platform

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.443.494 ◽

2013 ◽

Vol 443 ◽

pp. 494-498 ◽

Cited By ~ 1

Author(s):

Rui Xia Zhang ◽

Ya Liang Wang ◽

Yan Lan Liu

Keyword(s):

File System ◽

Smart Phone ◽

System Call ◽

Event Monitoring ◽

System Calls ◽

Comprehensive Method ◽

Android Platform ◽

Significant Performance ◽

Performance Gains ◽

Android Api

Android is a standard and popular platform of various smart phone. Security thread is a major problem to smart phone. File system event monitoring is essential for many types of programs ranging from file managers to security tools. In this paper, we make research on file system event monitoring. Our approach involves file nodes monitor by Android API and Linux native system call. We compare different features between them. It shows that each method has its benefit and limitation. Linux system calls method outperforms API in flexibility and scalability. But it has its un-convenience to user for its page alignment. A comprehensive method is proposed to take advantage of significant performance gains.

Download Full-text

Enhanced Host-Based Intrusion Detection Using System Call Traces

Journal of King Abdulaziz University-Computing and Information Technology Sciences ◽

10.4197/comp.8-2.7 ◽

2019 ◽

Vol 8 (2) ◽

pp. 93-109

Author(s):

Yaqoob S. Ikram Yaqoob S. Ikram

Keyword(s):

Intrusion Detection ◽

Detection Rate ◽

Environmental Changes ◽

Detection System ◽

Computational Cost ◽

System Call ◽

High Detection Rate ◽

Learning Time ◽

System Calls ◽

Almost All

To detect zero-day attacks in modern systems, several host-based intrusion detection systems are proposed using the newly compiled ADFA-LD dataset. These techniques use the system call traces of the dataset to detect anomalies, but generally they suffer either from high computational cost as in window-based techniques or low detection rate as in frequency-based techniques. To enhance the accuracy and speed, we propose a host-based intrusion detection system based on distinct short sequences extraction from traces of system calls with a novel algorithm to detect anomalies. To the best of our knowledge, the obtained results of the proposed system are superior to all up-to-date published systems in terms of computational cost and learning time. The obtained detection rate is also much higher than almost all compared systems and is very close to the highest result. In particular, the proposed system provides the best combination of high detection rate and very small learning time. The developed prototype achieved 90.48% detection rate, 22.5% false alarm rate, and a learning time of about 30 seconds. This provides high capability to detect zero-day attacks and also makes it flexible to cope with any environmental changes since it can learn quickly and incrementally without the need to rebuild the whole classifier from scratch.

Download Full-text

The Evolution of System-Call Monitoring

2008 Annual Computer Security Applications Conference (ACSAC) ◽

10.1109/acsac.2008.54 ◽

2008 ◽

Cited By ~ 66

Author(s):

Stephanie Forrest ◽

Steven Hofmeyr ◽

Anil Somayaji

Keyword(s):

System Call ◽

Call Monitoring

Download Full-text