Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

徐辉,潘爱民

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.11.052

2004-01-01

Abstract:An enhanced security auditing mechanism for Linux is proposed.This mechanism is based on loadable kernel mo-(dule) and provides system level and application level auditing functions.System audit generates an audit record for every security sensitive system call.Application level audit abandons the traditional auditing fashion that auditing system completely depends on applications writing log file in user space.Instead,applications and system kernel will generate audit record coordinately.Examples are given for intrusion detection with this mechanism.

Tao Zhang,Yang Yu,Yi Li

DOI: https://doi.org/10.3969/j.issn.1000-386x.2014.05.005

2014-01-01

Abstract:With the penetration of Linux technology,lots of Linux servers have been deployed in distributed systems.It becomes a big problem to carry out effective security auditing for those server resources at present.We design and implement a security auditing system applicable to complex distributed environments according to the characteristics of Linux servers.Our solution adopts component-based, modular architecture to support multi-layer deployment.Based on the audits at kernel level and application level,our system achieves the comprehensive audit on Linux servers including system resources,terminal accesses,file,database and network resources,etc.Meanwhile, our system uses data mining techniques to thoroughly analyse the audit message,and realises the intelligent auditing on Linux servers.Our system has been deployed in a real system,and shows very good effect.

LIU Fan,CHEN Kang,ZHENG Wei-ming

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.09.049

2005-01-01

Abstract:With the development of the Web, how to trace specific sites and web pages effectively is important for many people. This paper introduced a Web Tracing Service System based on Intranet. DSA, a dynamic schedule algorithm has used in this system; thread-pool improves the efficiency of bandwidth usage; design a distributed storage mechanism; and a timely information delivery is implemented in our system.

LIU Jia,ZI Xiaochao,PAN Li,LI Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.12.018

2005-01-01

Abstract:This paper discusses how to develop the audit module for secure operating system based on the Linux kernel. This audit subsystem cancollect all the core-level information by mounting audit points in the kernel, and provide secure audit management with automate analysis fromremote terminal through website.

Jiaping Gui,Ding Li,Zhengzhang Chen,Junghwan Rhee,Xusheng Xiao,Mu Zhang,Kangkook Jee,Zhichun Li,Haifeng Chen

DOI: https://doi.org/10.1109/ICDE48307.2020.00151

2020-01-01

Abstract:While backtracking analysis has been successful in assisting the investigation of complex security attacks, it faces a critical dependency explosion problem. To address this problem, security analysts currently need to tune backtracking analysis manually with different case-specific heuristics. However, existing systems fail to fulfill two important system requirements to achieve effective backtracking analysis. First, there need flexible abstractions to express various types of heuristics. Second, the system needs to be responsive in providing updates so that the progress of backtracking analysis can be frequently inspected, which typically involves multiple rounds of manual tuning. In this paper, we propose a novel system, APTrace, to meet both of the above requirements. As we demonstrate in the evaluation, security analysts can effectively express heuristics to reduce more than 99.5% of irrelevant events in the backtracking analysis of real-world attack cases. To improve the responsiveness of backtracking analysis, we present a novel execution-window partitioning algorithm that significantly reduces the waiting time between two consecutive updates (especially, 57 times reduction for the top 1% waiting time).

ZHOU Chang-ling,CUI Jian,SHANG Qun,ZHANG Bei

DOI: https://doi.org/10.3969/j.issn.1672-9781.2007.02.008

2007-01-01

Abstract:In order to improve the campus network management efficiency, whenever a security event occurs, network operators can easily trace those users who abused the network or did illegal things, auto-logging campus network user information and relate things are required. This paper presents a way combining the IP, MAC, user profile, switch port data to trace user location. A system using this method is designed and implemented in our campus network that shows our solution is valuable.

Jingyu Zhou,Giovanni Vigna

DOI: https://doi.org/10.1109/csac.2004.17

2004-01-01

Abstract:Host security is achieved by securing both the operating system kernel and the privileged applications that run on top of it. Application-level bugs are more frequent than kernel-level bugs, and, therefore, applications are often the means to compromise the security of a system. Detecting these attacks can be difficult, especially in the case of attacks that exploit application-logic errors. These attacks seldom exhibit characterizing patterns as in the case of buffer overflows and format string attacks. In addition, the data used by intrusion detection systems is either too low-level, as in the case of system calls, or incomplete, as in the case of syslog entries. This paper presents a technique to enforce nonbypassable, application-level auditing that does not require the recompilation of legacy systems. The technique is implemented as a kernel-level component, a privileged daemon, and an offline language tool. The technique uses binary rewriting to instrument applications so that meaningful and complete audit information can be extracted. This information is then matched against application-specific signatures to detect attacks that exploit application-logic errors. The technique has been successfully applied to detect attacks against widely-deployed applications, including the Apache Web server and the OpenSSH server.

Xinyu Yang,Haoyuan Liu,Ziyu Wang,Peng Gao

DOI: https://doi.org/10.48550/arXiv.2211.05403

2022-11-10

Cryptography and Security

Abstract:System auditing has emerged as a key approach for monitoring system call events and investigating sophisticated attacks. Based on the collected audit logs, research has proposed to search for attack patterns or track the causal dependencies of system events to reveal the attack sequence. However, existing approaches either cannot reveal long-range attack sequences or suffer from the dependency explosion problem due to a lack of focus on attack-relevant parts, and thus are insufficient for investigating complex attacks. To bridge the gap, we propose Zebra, a system that synergistically integrates attack pattern search and causal dependency tracking for efficient attack investigation. With Zebra, security analysts can alternate between search and tracking to reveal the entire attack sequence in a progressive, user-guided manner, while mitigating the dependency explosion problem by prioritizing the attack-relevant parts. To enable this, Zebra provides (1) an expressive and concise domain-specific language, Tstl, for performing various types of search and tracking analyses, and (2) an optimized language execution engine for efficient execution over a big amount of auditing data. Evaluations on a broad set of attack cases demonstrate the effectiveness of Zebra in facilitating a timely attack investigation.

谷大武,李小勇,陆海宁

DOI: https://doi.org/10.3321/j.issn:1006-2467.2003.03.028

2003-01-01

Shanghai Jiaotong Daxue Xuebao/Journal of Shanghai Jiaotong University

Abstract:Intrusion detection is a major technique of identifying the network attackers. The intrusion detection systems available can find the event of most network-based attacks, but cannot judge the real locations of attackers. On the basis of the existing techniques, this paper presented a framework of network attacker-tracing system. It then provided the system architecture and listed the principal functions. By using of the relevant analysis, it gave the basic idea of retracing the attackers' paths. The simulation result shows that the framework and idea are feasible and efficient. Finally, the potential problems of such system from various respects such as security, practicability and tracing precision, etc. were analyzed.

Z. Fan

DOI: https://doi.org/10.1117/12.2675203

2023-05-25

Abstract:Nowadays, with the increasing diversity of Internet programs, more and more programs have launched more functions. However, many system vulnerabilities have gradually surfaced, and the process of finding and repairing vulnerabilities has become an imminent problem for developers. Code snippets related to dynamic memory allocation and resource preemption operations are a major source of operating system failures. In this paper, a new fault detection technique based on dynamic kernel tracing is proposed. The fault source and fault type are determined by collecting kernel call stack and global state transition information. The fault detection technology is implemented as a loadable kernel module in Linux system, which can effectively collect kernel information without adding hardware or modifying the original system code. The experimental results of fault injection show that the proposed method can detect faults effectively, and the detection delay is smaller than the method based on timeout time and performance index. How to deal with these vulnerabilities is the subject of this article.

Engineering,Computer Science

ZHANG Jun,SU Pu-rui,FENG Deng-guo

2006-01-01

Journal of Computer Applications

Abstract:The technology of Intrusion Detection is one of the important measures to protect the networks.Host-based intrusion detection is used to protect the key hosts.A flexible loading intrusion detection based on system-call was introduced in this paper.This system improved the common data collection method,and adopted virtual equipment driversto acquire system call.This method brings small influence on system,is easy to load and unload,and provides the standard interface. The data analysis integrates the two detection methods: anomaly and misuse,which provides corresponding detection models and introduces the noise filtering function.

Wang Yilei,Gao Xianfeng,Li Tao,Sun Yujuan

DOI: https://doi.org/10.3969/j.issn.1009-3044.2008.25.014

2008-01-01

Abstract:This paper presents a design of network security audit and monitoring system, including the design of monitoring module in Proxy and network capability, etc. And it also proposes the implement flow of these function models including the implement flow of security audit model and network monitoring model. This system has greatly improved the level of safety management of network through the practice for an application case and has good actual effect.

ZHAO Ling-tao,YANG Shu-tang,LU Song-nian,LI Jian-hua

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.32.032

2006-01-01

Computer Engineering and Applications Journal

Abstract:This article researches and realizes a network monitor and audit system of large scale and multiple,based on security audit and monitor technology.The system is not only suitable for class-scale security audit technology teaching and practicing but also suitable for scientific research.As the test and practice proved,the system possesses can support more than 150 users' concurrent accessing and the response time is not more than 1 s.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

LIU Jia,ZI Xiaochao,PAN Li,LI Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.06.025

2006-01-01

Abstract:Based on the theory of audit only security involved,this paper presents a new way of logging which can greatly reduce the volume of BSM while same audit target is supported at the same time.

CAO Hui,WANG Qing-qing,MA Yi-zhong,LUO Ping

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.05.049

2007-01-01

Computer Engineering and Applications Journal

Abstract:Aiming at the problem of vast information redundancy of database auditing system,inflexible of auditing method and inefficient of data statistic analysis.This paper presents a new database security auditing system.It has more practical value for database security.

Fan Zhen,Yao Xianghua,Dai Yuehua,Zhang Xinman

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.05.003

2012-01-01

Abstract:The main way to compromise the security of computer is to obtain the unauthorised access of the system through vulnerabilities of the operating systems or applications for achieving the purpose of malicious attacks.In view of this,in this paper we implement a security monitor module at runtime.Based on dynamic information flow tracking technology,this module dynamically detects and records the information flow of the program by analysing the contents in the memories and registers when the program is running,so as to realise the positioning and prevention of the malicious attacks.

HAO Dong-bai,YAN Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.06.100

2008-01-01

Abstract:Against the leakiness means of confidential computer, a confidential computer monitor and audit system is established, by using the technology of driver filter, SPI, message broadcast interrupt, virtual printing monitor and hook on Windows platform, key algorithms and implementation methods of this system are focused. Experimental result and practice validate the availability of this system.

Xiayang Wang,Fuqian Huang,Haibo Chen

DOI: https://doi.org/10.1186/s42400-018-0018-3

2019-01-01

Abstract:Recently released Intel processors have been equipped with hardware instruction tracing facilities to securely and efficiently record the program execution path. In this paper, we study a case for data integrity checking based on Intel Processor Trace (Intel PT), the instruction tracing facility on x86 processors. We incorporate software instrumentation and hardware instruction tracing to guarantee fine-grained data integrity without frequently switching the processor mode. We incorporate the idea in a system named DTrace which provides primitives to instruct Intel PT to capture the data load and store events, even current Intel PT implementations only record control transfers. The trace is analyzed before the program makes security-sensitive operations. We apply DTrace in several case studies to show that the primitives that DTrace provides are easy to use and help to enhance data integrity in applications. We further evaluate DTrace with several microbenchmarks to show the time cost that DTrace’s data tracing operation incurs. We also evaluate DTrace on Nginx to show the performance impact when Nginx is enhanced in security to provide the integrity during the runtime execution for programmer-defined security sensitive data. We find the performance overhead that DTrace incurs for the data tracing is moderate.