> Each program will make a defind set of syscalls to achieve its > objective. Now idea is to watch syscalls that a program is supposed to > make during its run time. A database which describes the syscalls that a > program can make is called behavior model of the program. Lets assume we > can generate a behavior model which perfectly describes an application. > Now any deviation from behavior model of program essentially indicates > an intrusion at real time. Thus a corrective action can be taken. Nothing new under the sun: http://imsafe.sourceforge.net/inside.htm ftp://ftp.cs.unm.edu/pub/forrest/uss-2000.ps And even published research: http://citeseer.ist.psu.edu/13864.html http://citeseer.nj.nec.com/445166.html There are conspicuous citations in the two papers above. As for the mimicry attacks against this concept, an URL has already been posted Cordialmente, Stefano Zanero
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 12:25:41 PDT