【文章內(nèi)容簡(jiǎn)介】 器都有。聚合過(guò)程不應(yīng)該引入過(guò)多額外的通病。當(dāng)?shù)氐母乓募木酆隙鄻有杂幸韵略颍?i)用戶隨機(jī)性。不同的用戶可以生成不同的配置文件，但他們大多屬于真正的基線——假設(shè)概要文件是可信的（用戶隨機(jī)性可以視為在應(yīng)用程序中使用不同的正常執(zhí)行路徑)。(ii)系統(tǒng)環(huán)境的隨機(jī)性。我們承認(rèn)不同的系統(tǒng)環(huán)境可能有不同的組“正常行為”。然而，如果有的話，應(yīng)該引入有限的通病。在最壞的情況下，我們可以如167。6 系綜的局限性我們發(fā)現(xiàn)系綜是解決使用運(yùn)行時(shí)配置文件檢測(cè)代碼入侵和其他運(yùn)行時(shí)異常的一種很有前途的方法，并且還能指出在未來(lái)需要解決的局限性。我們還發(fā)現(xiàn),一些太復(fù)雜的應(yīng)用程序會(huì)局限于使用有限的系統(tǒng)調(diào)用抽樣。我們的實(shí)驗(yàn)表明復(fù)雜的插件啟用的應(yīng)用程序會(huì)和原來(lái)的不一致，如IE插件可能以微軟Word來(lái)表現(xiàn)。額外的取樣和更大的社區(qū)可以幫助幫助改變這種情況。我們要在一個(gè)真正的社區(qū)對(duì)數(shù)以百計(jì)的用戶做整體評(píng)價(jià)。隱私問(wèn)題必須解決,即便系統(tǒng)只對(duì)調(diào)用匯總數(shù)據(jù)與服務(wù)器交換。如果一個(gè)顯著部分社區(qū)的用戶安裝一個(gè)協(xié)調(diào)攻擊污染全球概要,可想而知,全球配置文件會(huì)被破壞。在開(kāi)放社區(qū),污染攻擊是可能的。在封閉的社區(qū),在企業(yè)環(huán)境中,這樣的攻擊是不太可能。不同的應(yīng)用程序可能需要不同類型的分析。例如,如果一個(gè)應(yīng)用程序在功能或故意隨機(jī)地址指令級(jí)別(例如，167。),那么堆棧簽名是無(wú)效的。可以添加替代方法,如路徑分析，來(lái)處理這樣的應(yīng)用程序。在我們的設(shè)計(jì)中,堆棧生成簽名的獨(dú)特的返回地址棧幀。碰撞的概率在32位操作系統(tǒng)是不容忽視的,但在64位的系統(tǒng)中卻變得越來(lái)越流行。 通病每個(gè)應(yīng)用程序都有一組“正常行為”(真正的基線)。當(dāng)探測(cè)器定義正常行為超越真實(shí)的基線過(guò)多(即,過(guò)于寬泛)；因?yàn)樘匦曰蚍椒ú贿m當(dāng)?shù)幕虿⒉蛔銐蚓_的模型(即,一個(gè)不完美的探測(cè)器)，假陰性可能發(fā)生。然而，幾乎所有檢測(cè)或定義的正常行為是比真正的基線更廣泛的,從而允許模仿攻擊。不只是我們存在在聚合過(guò)程引入過(guò)多的附加的通病，任何探測(cè)器都存在這樣的問(wèn)題?？紤]當(dāng)?shù)氐母乓募木酆隙鄻有缘脑蛴?(i)用戶隨機(jī)性。不同的用戶可以生成不同的配置文件,但他們大多屬于真正的基線假設(shè)概要文件是可信的(用戶隨機(jī)性可以視為有不同的正常執(zhí)行路徑)。（ii)系統(tǒng)環(huán)境的隨機(jī)性。我們承認(rèn)不同的系統(tǒng)環(huán)境可能有不同的組“正常行為”。然而,這是在任何情況下都應(yīng)該被限制的通病。在最壞的情況下,我們可以有單獨(dú)的、如167。 模仿攻擊一個(gè)完美的探測(cè)器不應(yīng)該因?yàn)橐云湃o模仿攻擊留下任何機(jī)會(huì)。注意，聚合過(guò)程是用于異常檢測(cè)的獨(dú)立的特性或方法。模仿攻擊的存在主要是由于受特征選擇和檢測(cè)技術(shù)的限制，而不是在于剖面聚合。我們的重點(diǎn)是要指出，我們?nèi)绾文軌蛴靡粋€(gè)合理的探測(cè)器減少假陽(yáng)性而不是使功能豐富達(dá)到足以排除的模擬攻擊可能性的地步。7 結(jié)論我們已經(jīng)描述了系綜，一個(gè)依靠用戶社區(qū)在流行應(yīng)用程序上檢測(cè)或阻止異常的無(wú)監(jiān)督異常檢測(cè)和預(yù)防系統(tǒng)的設(shè)計(jì)。當(dāng)?shù)匦袨楦乓募M合成一個(gè)全球配置文件，可以用來(lái)檢測(cè)或防止代碼注入或行為修改。系綜的主機(jī)只需要在運(yùn)行時(shí)定期總結(jié)貢獻(xiàn)的配置文件數(shù)據(jù)( MB)。系綜闡述了從可能有不同操作環(huán)境的主機(jī)合并配置文件的問(wèn)題?；趯?duì)四個(gè)候選應(yīng)用程序的57次測(cè)試的評(píng)估，我們發(fā)現(xiàn)全球配置文件的質(zhì)量和由此產(chǎn)生的假陽(yáng)性率，會(huì)隨著社區(qū)大小增長(zhǎng)到約300用戶而極大地提高了，這些正好證明，使用社區(qū)來(lái)自動(dòng)生成行為概要文件而不需要手工操作是一個(gè)可行的方法，以及由此產(chǎn)生的行為概要文件對(duì)實(shí)時(shí)異常檢測(cè)和預(yù)防是有效的。 Ensemble：CommunityBased Anomaly Detection for Popular ApplicationsAbstract: A major challenge in securing enduser systems is the risk of popular applications being hijacked at runtime. Traditional measures do not prevent such threats because the code itself is unmodified and local anomaly detectors are difficult to tune for correct thresholds due to insufficient training data. Given that the target of attackers are often popular applications for munication and social networking, we propose Ensemble, a novel, automated approach based on a trusted munity of users contributing systemcall level local behavioral profiles of their applications to a global profile merging engine. The trust can be assumed in cases such as enterprise environments and can be further policed by reputation systems, ., by exploiting trust relationships inherently associated with social networks. The generated global profile can be used by all munity users for local anomaly detection or prevention. Evaluation results based on a malware pool of 57 exploits demonstrate that Ensemble is an effective defense technique for munities of about 300 or more users as in enterprise environments.1 IntroductionEnduser systems can be difficult to secure for a variety of reasons. They are typically unmanaged: users download software, browser bugs, etc. In this paper, we focus on defending against a class of attacks in which popular applications are hijacked at runtime. In the past, this has led to widespread attacks such as the Skype worm spread using Skype and buffer overflows in Outlook clients to execute arbitrary code . Traditional measures, such as antivirus scanners [5], do not prevent such threats because the application code itself is unmodified. Prior work indicates that systemcall level profiling [23,33,37] may help detect such attacks early but a significant barrier is a lack of sufficient training data to ensure low false positive rates.In this paper, we present Ensemble, a novel unsupervised anomaly detection approach based on the idea of a trusted munity of users contributing systemcall level local profiles of an application to a mon merging engine. The merging engine generates a global profile that captures the possible space of normal runtime behaviors of an application. The global profile can be used to detect or prevent anomalies in application behavior at each endhost in real time. The promise of this approach is that it helps overe the problem of a lack of sufficient training data at each host and can be largely automated. The challenges are making such a system efficient, overing the differences in profiles due to factors such as variations in installation directories or hardware, and identifying the appropriate information to collect in underlying hypothesis of Ensemble is that, as the number of local profiles increases,the aggregate global profile tends to converge, thus revealing the normal behavior of the target application. Most applications in our experiments were found to satisfy this property, though we also identified types of applications that would be exceptions. This paper makes the following contributions.Handling diversity in execution environments. Various factors impact munity based profiling, ., the same application at different hosts may be installed in different directories, run with different amount of memory, and use different number of CPUs. All these can cause variations in the system call traces with their parameters. We determined the types of data to use for generating behavioral profiles to handle these variations, while keeping profiles pact and representative of the application.Analysis of the relationship between the munity size and false positive rates. We first applied munitybased anomaly detection to a munity of 12 users using a normal, clean instant messaging application. The detailed systemcall level data were sampled for 50 minutes during 5 hours with each local profile generated based on one minute of sampled data. We found that high false positive rates to be of significant concern, just as with singlehost profiling using system calls. A testbed of virtual machines was subsequently used to study the impact of scaling up the system to a larger user found that the techniques, in general, tend to bee much more effective with larger munity size. Significant reduction in false positive rates was observed after reaching approximately 300 users.Techniques to reduce data transfer by sharing summary data generated b