Skip to Main content Skip to Navigation
Conference papers

Detecting illegal system calls using a data-oriented detection model

Jonathan-Christofer Demay 1 Frédéric Majorczyk 2 Eric Totel 3 Frédéric Tronel 3
2 ADEPT - Algorithms for Dynamic Dependable Systems
IRISA - Institut de Recherche en Informatique et Systèmes Aléatoires, INRIA Rennes
3 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : The most common anomaly detection mechanisms at application level consist in detecting a deviation of the control-flow of a program. A popular method to detect such anomaly is the use of application sequences of system calls. However, such methods do not detect mimicry attacks or attacks against the integrity of the system call parameters. To enhance such detection mechanisms, we propose an approach to detect in the application the corruption of data items that have an influence on the system calls. This approach consists in building automatically a data-oriented behaviour model of an application by static analysis of its source code. The proposed approach is illustrated on various examples, and an injection method is experimented to obtain an approximation of the detection coverage of the generated mechanisms.
Complete list of metadata

Cited literature [22 references]  Display  Hide  Download
Contributor : Anne Cloirec Connect in order to contact the contributor
Submitted on : Monday, January 9, 2012 - 3:51:53 PM
Last modification on : Wednesday, February 2, 2022 - 3:51:00 PM
Long-term archiving on: : Monday, November 19, 2012 - 1:01:03 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Jonathan-Christofer Demay, Frédéric Majorczyk, Eric Totel, Frédéric Tronel. Detecting illegal system calls using a data-oriented detection model. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. pp.305-316, ⟨10.1007/978-3-642-21424-0_25⟩. ⟨hal-00657971⟩



Record views


Files downloads