{"title":"提出了一种检测和阻止未知代码注入攻击的方法","authors":"Omar Hussein, Nermin Hamza, H. Hefny","doi":"10.1109/INTELCIS.2015.7397243","DOIUrl":null,"url":null,"abstract":"This paper presents a proposed approach called VAIL System Call Monitor (YSCM) to detect and thwart previously unknown code injection attacks. The idea is based on the fact that any process needs to correctly invoke CreateProcessO system calls, otherwise child-process creation will fail. YSCM intercepts and verifies CreateProcessO system call invocations from a monitored process. In case an unknown executable is detected in the first parameter of a call, this indicates its maliciousness. In response, YSCM encrypts that parameter value to render the call invalid, thereby thwarting adversaries' attacks by preventing the operating system from loading and executing the new malicious child process. YSCM runs in a microkernel-based virtual machine in order to achieve two-fold advantages: (1) isolate security-critical information from probable adversaries' attacks; and (2) exploit security-related and performance-related advantages associated with thin virtual machine monitors. The expected effectiveness of YSCM is high since it is circumvention-proof, and precise in extracting the normal behavior of applications chosen to be monitored.","PeriodicalId":6478,"journal":{"name":"2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS)","volume":"15 6 1","pages":"336-342"},"PeriodicalIF":0.0000,"publicationDate":"2015-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"A proposed approach to detect and thwart previously unknown code injection attacks\",\"authors\":\"Omar Hussein, Nermin Hamza, H. Hefny\",\"doi\":\"10.1109/INTELCIS.2015.7397243\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper presents a proposed approach called VAIL System Call Monitor (YSCM) to detect and thwart previously unknown code injection attacks. The idea is based on the fact that any process needs to correctly invoke CreateProcessO system calls, otherwise child-process creation will fail. YSCM intercepts and verifies CreateProcessO system call invocations from a monitored process. In case an unknown executable is detected in the first parameter of a call, this indicates its maliciousness. In response, YSCM encrypts that parameter value to render the call invalid, thereby thwarting adversaries' attacks by preventing the operating system from loading and executing the new malicious child process. YSCM runs in a microkernel-based virtual machine in order to achieve two-fold advantages: (1) isolate security-critical information from probable adversaries' attacks; and (2) exploit security-related and performance-related advantages associated with thin virtual machine monitors. The expected effectiveness of YSCM is high since it is circumvention-proof, and precise in extracting the normal behavior of applications chosen to be monitored.\",\"PeriodicalId\":6478,\"journal\":{\"name\":\"2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS)\",\"volume\":\"15 6 1\",\"pages\":\"336-342\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2015-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/INTELCIS.2015.7397243\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 IEEE Seventh International Conference on Intelligent Computing and Information Systems (ICICIS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INTELCIS.2015.7397243","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A proposed approach to detect and thwart previously unknown code injection attacks
This paper presents a proposed approach called VAIL System Call Monitor (YSCM) to detect and thwart previously unknown code injection attacks. The idea is based on the fact that any process needs to correctly invoke CreateProcessO system calls, otherwise child-process creation will fail. YSCM intercepts and verifies CreateProcessO system call invocations from a monitored process. In case an unknown executable is detected in the first parameter of a call, this indicates its maliciousness. In response, YSCM encrypts that parameter value to render the call invalid, thereby thwarting adversaries' attacks by preventing the operating system from loading and executing the new malicious child process. YSCM runs in a microkernel-based virtual machine in order to achieve two-fold advantages: (1) isolate security-critical information from probable adversaries' attacks; and (2) exploit security-related and performance-related advantages associated with thin virtual machine monitors. The expected effectiveness of YSCM is high since it is circumvention-proof, and precise in extracting the normal behavior of applications chosen to be monitored.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
