{"title":"利用资源使用对程序行为进行建模","authors":"Kevin Leach","doi":"10.1109/DSNW.2013.6615519","DOIUrl":null,"url":null,"abstract":"Control flow graphs (CFG) have long been an effective and elegant way to represent program execution. In particular, many anomaly detection systems employ CFGs. Unfortunately, typical CFG-based systems rely on inaccurate or impractical heuristics. For example, the state space may be restricted by considering only a call graph, thus reducing accuracy and precision. In this paper, we combine control flow graphs with resource consumption information to more accurately model a program's behavior during execution. Intuitively, this technique allows access to more information within each state, providing opportunities for more accurate decisions when considering anomalous behavior. Additionally, because we do not need as many states to represent an application's execution, we can achieve lower overhead than existing CFG-based systems. We anticipate this technique can be used to detect jump-based return-oriented programming (ROP) attacks on the Linux platform.","PeriodicalId":377784,"journal":{"name":"2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W)","volume":"103 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-06-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"BARLEY: Modelling program behavior with resource usage\",\"authors\":\"Kevin Leach\",\"doi\":\"10.1109/DSNW.2013.6615519\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Control flow graphs (CFG) have long been an effective and elegant way to represent program execution. In particular, many anomaly detection systems employ CFGs. Unfortunately, typical CFG-based systems rely on inaccurate or impractical heuristics. For example, the state space may be restricted by considering only a call graph, thus reducing accuracy and precision. In this paper, we combine control flow graphs with resource consumption information to more accurately model a program's behavior during execution. Intuitively, this technique allows access to more information within each state, providing opportunities for more accurate decisions when considering anomalous behavior. Additionally, because we do not need as many states to represent an application's execution, we can achieve lower overhead than existing CFG-based systems. We anticipate this technique can be used to detect jump-based return-oriented programming (ROP) attacks on the Linux platform.\",\"PeriodicalId\":377784,\"journal\":{\"name\":\"2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W)\",\"volume\":\"103 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-06-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DSNW.2013.6615519\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSNW.2013.6615519","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
BARLEY: Modelling program behavior with resource usage
Control flow graphs (CFG) have long been an effective and elegant way to represent program execution. In particular, many anomaly detection systems employ CFGs. Unfortunately, typical CFG-based systems rely on inaccurate or impractical heuristics. For example, the state space may be restricted by considering only a call graph, thus reducing accuracy and precision. In this paper, we combine control flow graphs with resource consumption information to more accurately model a program's behavior during execution. Intuitively, this technique allows access to more information within each state, providing opportunities for more accurate decisions when considering anomalous behavior. Additionally, because we do not need as many states to represent an application's execution, we can achieve lower overhead than existing CFG-based systems. We anticipate this technique can be used to detect jump-based return-oriented programming (ROP) attacks on the Linux platform.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
