Anomaly Detection Using Call Stack Information

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Henry Hanping Feng Articles by Oleg M. Kolesnikov Articles by Prahlad Fogla Articles by Wenke Lee Articles by Weibo Gong

2003 IEEE Symposium on Security and Privacy

Berkeley, CA

May 11-May 14

ISBN: 0-7695-1940-7

	ASCII Text	x
	Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong, "Anomaly Detection Using Call Stack Information," Security and Privacy, IEEE Symposium on, pp. 62, 2003 IEEE Symposium on Security and Privacy, 2003.

	BibTex	x
	@article{ 10.1109/SECPRI.2003.1199328, author = {Henry Hanping Feng and Oleg M. Kolesnikov and Prahlad Fogla and Wenke Lee and Weibo Gong}, title = {Anomaly Detection Using Call Stack Information}, journal ={Security and Privacy, IEEE Symposium on}, volume = {0}, year = {2003}, issn = {1540-7993}, pages = {62}, doi = {http://doi.ieeecomputersociety.org/10.1109/SECPRI.2003.1199328}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Security and Privacy, IEEE Symposium on TI - Anomaly Detection Using Call Stack Information SN - 1540-7993 SP EP A1 - Henry Hanping Feng, A1 - Oleg M. Kolesnikov, A1 - Prahlad Fogla, A1 - Wenke Lee, A1 - Weibo Gong, PY - 2003 KW - null VL - 0 JA - Security and Privacy, IEEE Symposium on ER -

Henry Hanping Feng, University of Massachusetts

Oleg M. Kolesnikov, Georgia Institute of Technology

Prahlad Fogla, Georgia Institute of Technology

Wenke Lee, Georgia Institute of Technology

Weibo Gong, University of Massachusetts

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SECPRI.2003.1199328

The call stack of a program execution can be a very good information source for intrusion detection. There is no prior work on dynamically extracting information from call stack and effectively using it to detect exploits. In this paper, we propose a new method to do anomaly detection using call stack information. The basic idea is to extract return addresses from the call stack, and generate abstract execution path between two program execution points. Experiments show that our method can detect some attacks that cannot be detected by other approaches, while its convergence and false positive performance is comparable to or better than the other approaches. We compare our method with other approaches by analyzing their underlying principles and thus achieve a better characterization of their performance, in particular, on what and why attacks will be missed by the various approaches.

Citation:

Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong, "Anomaly Detection Using Call Stack Information," sp, pp.62, 2003 IEEE Symposium on Security and Privacy, 2003

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.