In cyber security, engineers need to devise ways to protect their systems from hackers.One of the ways that they do this is through intrusion detection. Host based intrusiondetection systems reside on the computer and perform internal diagnostics of acomputer to detect malware and misuse. These HIDS use a variety of methods todetect and prevent attacks such as file integrity verification, log monitoring, file accesspatterns and etc. In this thesis, we look at the method of analyzing system calls foranomalous behavior.Programs use system calls to gain access to functions from an operatingsystems kernel. Therefore, it is theoretically possible to detect when a hacker may beexploiting a program by analyzing system call patterns of an application. However,despite previous work in this area, there remain many challenges to accuratelydetecting malicious exploits and intruders through system call analysis which haveprevented it from being used in real systems.To help bridge the gap and address the challenges in making system callanalysis a reality, we introduce a new method of system call analysis that we call theTriple Pot method. Our method utilizes three computers running concurrently on thesame network to check for anomalous behavior of an application. The key idea is thatby setting up a staged, fake network of computers we can get the hacker to identify theirexploit for us. We will show how our method can be used to automatically identify zeroday attacks that could not previously have been detected using previous system callanalysis methods.In addition, we also introduce a method to aggregate and analyze system callsfrom distributed machines to use information from multiple computers to detect zero dayattacks. We do this by creating a probabilistic model of the networked computersystems to determine the likelihood that an application is exhibiting anomalous behaviorthat is caused by a malicious hacker. Our methods can accurately locate maliciousbehavior with low false positives.
【 预 览 】
附件列表
Files
Size
Format
View
The Triple Pot and techniques in distributed system call intrusion detection
PDF
download
878987797
028-85220240
