Conference Proceedings

Anomaly detection using call stack information

Proceedings - IEEE Symposium on Security and Privacy (2003) 2003-January 62-75
DOI: 10.1109/SECPRI.2003.1199328
121Citations
Citations of this article
157Readers
Mendeley users who have this article in their library.
Get full text

Abstract

The call stack of a program execution can be a very good information source for intrusion detection. There is no prior work on dynamically extracting information from the call stack and effectively using it to detect exploits. In this paper we propose a new method to do anomaly detection using call stack information. The basic idea is to extract return addresses from the call stack, and generate an abstract execution path between two program execution points. Experiments show that our method can detect some attacks that cannot be detected by other approaches, while its convergence and false positive performance is comparable to or better than the other approaches. We compare our method with other approaches by analyzing their underlying principles and thus achieve a better characterization of their performance, in particular on what and why attacks will be missed by the various approaches.

Cite

CITATION STYLE

APA

Feng, H. H., Kolesnikov, O. M., Fogla, P., Lee, W., & Gong, W. (2003). Anomaly detection using call stack information. In Proceedings - IEEE Symposium on Security and Privacy (Vol. 2003-January, pp. 62–75). Institute of Electrical and Electronics Engineers Inc. https://doi.org/10.1109/SECPRI.2003.1199328

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free