Scholars@Duke publication: Automatically adapting a trained anomaly detector to software patches

Automatically adapting a trained anomaly detector to software patches

Publication , Conference

Li, P; Gao, D; Reiter, MK

Published in: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

December 1, 2009

Published version (DOI)

In order to detect a compromise of a running process based on it deviating from its program's normal system-call behavior, an anomaly detector must first be trained with traces of system calls made by the program when provided clean inputs. When a patch for the monitored program is released, however, the system call behavior of the new version might differ from that of the version it replaces, rendering the anomaly detector too inaccurate for monitoring the new version. In this paper we explore an alternative to collecting traces of the new program version in a clean environment (which may take effort to set up), namely adapting the anomaly detector to accommodate the differences between the old and new program versions. We demonstrate that this adaptation is feasible for such an anomaly detector, given the output of a state-of-the-art binary difference analyzer. Our analysis includes both proofs of properties of the adapted detector, and empirical evaluation of adapted detectors based on four software case studies. © 2009 Springer Berlin Heidelberg.

Duke Scholars

Author Michael Reiter Computer Science

Published In

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

DOI

10.1007/978-3-642-04342-0_8

EISSN

1611-3349

ISSN

0302-9743

ISBN

9783642043413

Publication Date

December 1, 2009

Volume

5758 LNCS

Start / End Page

142 / 160

Related Subject Headings

Artificial Intelligence & Image Processing

Citation

APA

Chicago

ICMJE

MLA

NLM

Li, P., Gao, D., & Reiter, M. K. (2009). Automatically adapting a trained anomaly detector to software patches. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 5758 LNCS, pp. 142–160). https://doi.org/10.1007/978-3-642-04342-0_8

Li, P., D. Gao, and M. K. Reiter. “Automatically adapting a trained anomaly detector to software patches.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 5758 LNCS:142–60, 2009. https://doi.org/10.1007/978-3-642-04342-0_8.

Li P, Gao D, Reiter MK. Automatically adapting a trained anomaly detector to software patches. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2009. p. 142–60.

Li, P., et al. “Automatically adapting a trained anomaly detector to software patches.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5758 LNCS, 2009, pp. 142–60. Scopus, doi:10.1007/978-3-642-04342-0_8.

Li P, Gao D, Reiter MK. Automatically adapting a trained anomaly detector to software patches. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2009. p. 142–160.

Published In

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

DOI

10.1007/978-3-642-04342-0_8

EISSN

1611-3349

ISSN

0302-9743

ISBN

9783642043413

Publication Date

December 1, 2009

Volume

5758 LNCS

Start / End Page

142 / 160

Related Subject Headings

Artificial Intelligence & Image Processing