Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need help. Proof of concept 100% security.

From: "Stefano Zanero" <stefano.zanero () ieee org>
Date: Sat, 16 Aug 2003 11:12:52 +0200
Each program will make a defind set of syscalls to achieve its
objective. Now idea is to watch syscalls that a program is supposed to
make during its run time. A database which describes the syscalls that a
program can make is called behavior model of the program. Lets assume we
can generate a behavior model which perfectly describes an application.
Now any deviation from behavior model of program essentially indicates
an intrusion at real time. Thus a corrective action can be taken.


Nothing new under the sun:

http://imsafe.sourceforge.net/inside.htm
ftp://ftp.cs.unm.edu/pub/forrest/uss-2000.ps

And even published research:
http://citeseer.ist.psu.edu/13864.html
http://citeseer.nj.nec.com/445166.html

There are conspicuous citations in the two papers above. As for the mimicry
attacks against this concept, an URL has already been posted

Cordialmente,
Stefano Zanero
Previous By Date Next
Previous By Thread Next

Current thread: