Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Need help. Proof of concept 100% security.
From: "Stefano Zanero" <stefano.zanero () ieee org>
Date: Sat, 16 Aug 2003 11:12:52 +0200

Each program will make a defind set of syscalls to achieve its
objective. Now idea is to watch syscalls that a program is supposed to
make during its run time. A database which describes the syscalls that a
program can make is called behavior model of the program. Lets assume we
can generate a behavior model which perfectly describes an application.
Now any deviation from behavior model of program essentially indicates
an intrusion at real time. Thus a corrective action can be taken.

Nothing new under the sun:

http://imsafe.sourceforge.net/inside.htm
ftp://ftp.cs.unm.edu/pub/forrest/uss-2000.ps

And even published research:
http://citeseer.ist.psu.edu/13864.html
http://citeseer.nj.nec.com/445166.html

There are conspicuous citations in the two papers above. As for the mimicry
attacks against this concept, an URL has already been posted

Cordialmente,
Stefano Zanero



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]