{"id":13203,"date":"2021-12-07T20:43:41","date_gmt":"2021-12-08T01:43:41","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13203"},"modified":"2021-12-07T20:43:41","modified_gmt":"2021-12-08T01:43:41","slug":"tr-07-09-what-happened-to-anomaly-detection","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/","title":{"rendered":"TR-07-09: What Happened to Anomaly Detection?"},"content":{"rendered":"

Carleton University
\nTechnical Report<\/a> TR-07-09
\nMarch 2, 2007<\/p>\n

What Happened to Anomaly Detection?<\/h2>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

Hajime Inoue & Anil Somayaji<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n

Abstract<\/h3>\n

Mimicry attacks have motivated much of the recent work in program-level intrusion detection. Whether based on runtime monitoring or static analysis, work by Kruegel (2003), Giffin (2005) and others have focused on the challenge posed by attacks that are designed to emulate normal program behavior. Although mimicry attacks can be a significant threat in certain circumstances, we argue that they are not more significant than issues such as false positives and overall attack coverage. Furthermore, given the inevitable compromises involved in creating intrusion detection systems, a focus on mimicry attacks almost necessitates a compromise on these other qualities. In this paper we present a simple model of program-level intrusion detection systems that captures these trade-offs, and we apply this model to the work of Forrest (1996), Giffin, Kruegel, and Sekar (2001). This analysis shows that advances in mimicry resistance have been accompanied by an overall reduction in performance. We then propose an alternative interpretation of mimicry attacks that suggests improved designs for next generation systems.<\/p>\n

TR-07-09.pdf<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Carleton University Technical Report TR-07-09 March 2, 2007 What Happened to Anomaly Detection? Hajime Inoue & Anil Somayaji Abstract Mimicry attacks have motivated much of the recent work in program-level intrusion detection. Whether based on runtime monitoring or static analysis, work by Kruegel (2003), Giffin (2005) and others have focused on the challenge posed by […]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12385,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"\nTR-07-09: What Happened to Anomaly Detection? - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-07-09 March 2, 2007 What Happened to Anomaly Detection? Hajime Inoue & Anil Somayaji Abstract Mimicry attacks\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/\",\"name\":\"TR-07-09: What Happened to Anomaly Detection? - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-08T01:43:41+00:00\",\"dateModified\":\"2021-12-08T01:43:41+00:00\",\"description\":\"Carleton University Technical Report TR-07-09 March 2, 2007 What Happened to Anomaly Detection? Hajime Inoue & Anil Somayaji Abstract Mimicry attacks\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2007\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-07-09: What Happened to Anomaly Detection?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-07-09: What Happened to Anomaly Detection? - School of Computer Science","description":"Carleton University Technical Report TR-07-09 March 2, 2007 What Happened to Anomaly Detection? Hajime Inoue & Anil Somayaji Abstract Mimicry attacks","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/","name":"TR-07-09: What Happened to Anomaly Detection? - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-08T01:43:41+00:00","dateModified":"2021-12-08T01:43:41+00:00","description":"Carleton University Technical Report TR-07-09 March 2, 2007 What Happened to Anomaly Detection? Hajime Inoue & Anil Somayaji Abstract Mimicry attacks","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-09-what-happened-to-anomaly-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2007","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/"},{"@type":"ListItem","position":5,"name":"TR-07-09: What Happened to Anomaly Detection?"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13203"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13203"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13203\/revisions"}],"predecessor-version":[{"id":13204,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13203\/revisions\/13204"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12385"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}