Automated Discovery of Mimicry Attacks

Abstract

Model-based anomaly detection systems restrict program execution by a predefined model of allowed system call sequences. These systems are useful only if they detect actual attacks. Previous research developed manually-constructed mimicry and evasion attacks that avoided detection by hiding a malicious series of system calls within a valid sequence allowed by the model. Our work helps to automate the discovery of such attacks. We start with two models: a program model of the application's system call behavior and a model of security-critical operating system state. Given unsafe OS state configurations that describe the goals of an attack, we then find system call sequences allowed as valid execution by the program model that produce the unsafe configurations. Our experiments show that we can automatically find attack sequences in models of programs such as wu-ftpd and passwd that previously have only been discovered manually. When undetected attacks are present, we frequently find the sequences with less than 2 seconds of computation.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2006
Accession Number
ADA454761

Entities

People

  • Barton P. Miller
  • Jonathon T. Giffin
  • Somesh Jha

Organizations

  • University of Wisconsin Madison Department of Computer Science

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Anomaly Detection
  • Automata
  • Change Detection
  • Computer Science
  • Computers
  • Control Systems
  • Detection
  • Detectors
  • Intrusion
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Language
  • Operating Systems
  • Specifications

Fields of Study

  • Computer science

Readers

  • Applied Combinatorial Optimization and Logic Circuit Design.
  • Computational Modeling and Simulation
  • Cybersecurity.