TY  - JOUR

JO  - Dependable and Secure Computing, IEEE Transactions on
TI  - Analysis of Computer Intrusions Using Sequences of Function Calls
T2  - Dependable and Secure Computing, IEEE Transactions on
IS  - 2
SN  - 1545-5971
VO  - 4
SP  - 137
EP  - 150
AU  - Peisert, S.
AU  - Bishop, M.
AU  - Karin, S.
AU  - Marzullo, K.
Y1  - April-June  2007
PY  - 2007
KW  - security of data
KW  - anomaly detection
KW  - computer intrusion detection
KW  - forensic analysis
KW  - function call sequence
KW  - unauthorized access
VL  - 4
JA  - Dependable and Secure Computing, IEEE Transactions on
DOI  - 10.1109/TDSC.2007.1003
AB  - This paper demonstrates the value of analyzing sequences of function calls for forensic analysis. Although this approach has been used for intrusion detection (that is, determining that a system has been attacked), its value in isolating the cause and effects of the attack has not previously been shown. We also look for not only the presence of unexpected events but also the absence of expected events. We tested these techniques using reconstructed exploits in su, ssh, and lpr, as well as proof-of-concept code, and, in all cases, were able to detect the anomaly and the nature of the vulnerability.
ER  -