发布求助
文献互助 智能选刊 最新文献

Third IEEE International Workshop on Information Assurance (IWIA'05)最新文献

筛选
英文 中文
Forensic analysis of file system intrusions using improved backtracking 使用改进的回溯对文件系统入侵进行取证分析
Third IEEE International Workshop on Information Assurance (IWIA'05) Pub Date : 2005-03-23 DOI: 10.1109/IWIA.2005.9
S. Sitaraman, S. Venkatesan
{"title":"Forensic analysis of file system intrusions using improved backtracking","authors":"S. Sitaraman, S. Venkatesan","doi":"10.1109/IWIA.2005.9","DOIUrl":"https://doi.org/10.1109/IWIA.2005.9","url":null,"abstract":"Intrusion detection systems alert the system administrators of intrusions but, in most cases, do not provide details about which system events are relevant to the intrusion and how the system events are related. We consider intrusions of file systems. Existing tools, like BackTracker, help the system administrator backtrack from the detection point, which is a file with suspicious contents, to possible entry points of the intrusion by providing a graph containing dependency information between the various files and processes that could be related to the detection point. We improve such backtracking techniques by logging certain additional parameters of the file system during normal operations (real-time) and examining the logged information during the analysis phase. In addition, we use dataflow analysis within the processes related to the intrusion to prune unwanted paths from the dependency graph. This results in significant reduction in search space, search time, and false positives. We also analyze the effort required in terms of storage space and search time.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"362 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115953271","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 43
Combining static analysis and dynamic learning to build accurate intrusion detection models 将静态分析与动态学习相结合,建立准确的入侵检测模型
Third IEEE International Workshop on Information Assurance (IWIA'05) Pub Date : 2005-03-23 DOI: 10.1109/IWIA.2005.6
Z. Liu, S. Bridges, R. Vaughn
{"title":"Combining static analysis and dynamic learning to build accurate intrusion detection models","authors":"Z. Liu, S. Bridges, R. Vaughn","doi":"10.1109/IWIA.2005.6","DOIUrl":"https://doi.org/10.1109/IWIA.2005.6","url":null,"abstract":"Anomaly detection based on monitoring of sequences of system calls has been shown to be an effective method for detection of previously unseen, potentially damaging attacks on hosts. This paper presents a new model for profiling normal program behavior for use in detection of intrusions that change application execution flow. This model is compact and efficient to operate and can be acquired using a combination of static analysis and dynamic learning. Our model (hybrid push down automata, HPDA) incorporates call stack information in the automata model and effectively captures the control flow of a program. Several important properties of the model are based on a unique correspondence relation between addresses and instructions within the model. These properties allow the HPDA to be acquired by dynamic analysis of an audit of the call stack log. Our strategy is to use static analysis to acquire a base model and then to use dynamic learning as a supplement to capture those aspects of behavior that are difficult to capture with static analysis due to techniques commonly used in modern programming environments. The model created by this combination method is shown to have a higher detection capability than models acquired by static analysis alone and a lower false positive rate than models acquired by dynamic learning alone.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"201 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116402480","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 31
Making the kernel responsible: a new approach to detecting & preventing buffer overflows 使内核负责:一种检测和防止缓冲区溢出的新方法
Third IEEE International Workshop on Information Assurance (IWIA'05) Pub Date : 2005-03-23 DOI: 10.1109/IWIA.2005.10
William R. Speirs
{"title":"Making the kernel responsible: a new approach to detecting & preventing buffer overflows","authors":"William R. Speirs","doi":"10.1109/IWIA.2005.10","DOIUrl":"https://doi.org/10.1109/IWIA.2005.10","url":null,"abstract":"This paper takes the stance that the kernel is responsible for preventing user processes from interfering with each other, and the overall secure operation of the system. Part of ensuring overall secure operation of the computer is preventing buffers in memory from having too much data written to them, overflowing them. This paper presents a technique for obtaining the writable bounds of any memory address. A new system call for obtaining these bounds, ptrbounds, is described that implements this technique. The system call was implemented in the Linux 2.4 kernel and can be used to detect most buffer overflow situations. Once an overflow has been detected it can be dealt with in a number of ways, including to limit the amount of information written to the buffer. Also, a method for accurately tracking the allocation of memory on the stack is proposed to enhance the accuracy of the technique. The intended use of ptrbounds is to provide programmers with a method for checking the bounds of pointers before writing data, and to automatically check the bounds of pointers passed to the kernel.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"116 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132390671","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
The design of VisFlowConnect-IP: a link analysis system for IP security situational awareness IP安全态势感知链路分析系统VisFlowConnect-IP的设计
Third IEEE International Workshop on Information Assurance (IWIA'05) Pub Date : 2005-03-23 DOI: 10.1109/IWIA.2005.17
Xiaoxin Yin, W. Yurcik, A. Slagell
{"title":"The design of VisFlowConnect-IP: a link analysis system for IP security situational awareness","authors":"Xiaoxin Yin, W. Yurcik, A. Slagell","doi":"10.1109/IWIA.2005.17","DOIUrl":"https://doi.org/10.1109/IWIA.2005.17","url":null,"abstract":"Visualization of IP-based traffic dynamics on networks is a challenging task due to large data volume and the complex, temporal relationships between hosts. We present the architecture of VisFlowConnect-IP, a powerful new tool to visualize IP network traffic flow dynamics for security situational awareness. VisFlowConnect-IP allows an operator to visually assess the connectivity of large and complex networks on a single screen. It provides an overall view of the entire network and filter/drill-down features that allow operators to request more detailed information. Preliminary reports from several organizations using this tool report increased responsiveness to security events as well as new insights into understanding the security dynamics of their networks. In this paper we focus specifically on the design decisions made during the VisFlowConnect development process so that others may learn from our experience. The current VisFlowConnect architecture - the result of these design decisions - is extensible to processing other high-volume multi-dimensional data streams where link connectivity/activity is a focus of study. We report experimental results quantifying the scalability of the underlying algorithms for representing link analysis given continuous high-volume traffic flows as input.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122233712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 44
首页 上一页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信