« Global Intrusion Detection in the DOMINO Overlay System | Main | Aim For Bot Coordination »
Software Decoys: Intrusion Detection and Countermeasures
Following VB, I got to thinking about some of my previous positions on AV and thought about just how hard a problem it is, at times. This paper sort of fits into that thinking, basically trying to discriminate malicious activity from normal activity, a somewhat related topic.We introduce the notion of an intelligent software decoy, and provide both an architecture and event-based language for automatic implementation of them. Our decoys detect and respond to patterns of suspicious behavior, and maintain a repository of rules for behavior patterns and decoying actions. As an example, we construct a model of system behavior from an initial list of event types and their attributes in the interaction between computer worms and an operating system. The model represents patterns of suspicious or malicious events that the software decoy should detect, and specific actions to be taken in response. Our approach explicitly treats both standard and nonstandard invocations of components, with the latter representing an attempt to circumvent the public interface of the component.Source: Software Decoys: Intrusion Detection and Countermeasures, James Bret Michael, Senior Member, IEEE, Mikhail Auguston, Neil C. Rowe, and Richard D. Riehle.
October 26, 2006 in detection, papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
