{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T18:17:24Z","timestamp":1771697844802,"version":"3.50.1"},"publisher-location":"Cham","reference-count":64,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319263618","type":"print"},{"value":"9783319263625","type":"electronic"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015]]},"DOI":"10.1007\/978-3-319-26362-5_13","type":"book-chapter","created":{"date-parts":[[2015,10,26]],"date-time":"2015-10-26T14:10:45Z","timestamp":1445868645000},"page":"270-292","source":"Crossref","is-referenced-by-count":25,"title":["A Formal Framework for Program Anomaly Detection"],"prefix":"10.1007","author":[{"given":"Xiaokui","family":"Shu","sequence":"first","affiliation":[]},{"given":"Danfeng","family":"Yao","sequence":"additional","affiliation":[]},{"given":"Barbara G.","family":"Ryder","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2015,12,12]]},"reference":[{"key":"13_CR1","doi-asserted-by":"crossref","unstructured":"Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of ACM CCS, pp. 340\u2013353 (2005)","DOI":"10.1145\/1102120.1102165"},{"key":"13_CR2","doi-asserted-by":"crossref","unstructured":"Anderson, J.P.: Computer security technology planning study. Technicl report, DTIC (October (1972)","DOI":"10.21236\/AD0772806"},{"issue":"3","key":"13_CR3","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1109\/MC.2010.60","volume":"43","author":"M Bach","year":"2010","unstructured":"Bach, M., Charney, M., Cohn, R., Demikhovsky, E., Devor, T., Hazelwood, K., Jaleel, A., Luk, C.K., Lyons, G., Patil, H., Tal, A.: Analyzing parallel programs with pin. Computer 43(3), 34\u201341 (2010)","journal-title":"Computer"},{"key":"13_CR4","doi-asserted-by":"crossref","unstructured":"Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow anomaly detection. In: Proceedings of IEEE S & P, May 2006","DOI":"10.1109\/SP.2006.12"},{"key":"13_CR5","doi-asserted-by":"crossref","unstructured":"Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: Proceedings of ASIACCS, pp. 30\u201340 (2011)","DOI":"10.1145\/1966913.1966919"},{"key":"13_CR6","doi-asserted-by":"publisher","first-page":"286","DOI":"10.1007\/978-94-009-3401-6_11","volume-title":"The Formal Complexity of Natural Language","author":"J Bresnan","year":"1987","unstructured":"Bresnan, J., Bresnan, R.M., Peters, S., Zaenen, A.: Cross-serial dependencies in Dutch. In: Savitch, W.J., Bach, E., Marsh, W., Safran-Naveh, G. (eds.) The Formal Complexity of Natural Language, vol. 33, pp. 286\u2013319. Springer, Heidelberg (1987)"},{"key":"13_CR7","doi-asserted-by":"crossref","unstructured":"Canali, D., Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: A quantitative study of accuracy in system call-based malware detection. In: Proceedings of ISSTA, pp. 122\u2013132 (2012)","DOI":"10.1145\/2338965.2336768"},{"issue":"5","key":"13_CR8","first-page":"823","volume":"24","author":"V Chandola","year":"2012","unstructured":"Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection for discrete sequences: a survey. IEEE TKDE 24(5), 823\u2013839 (2012)","journal-title":"IEEE TKDE"},{"issue":"3","key":"13_CR9","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1541880.1541882","volume":"41","author":"V Chandola","year":"2009","unstructured":"Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 1\u201358 (2009)","journal-title":"ACM Comput. Surv."},{"key":"13_CR10","doi-asserted-by":"crossref","unstructured":"Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of ACM CCS, pp. 559\u2013572 (2010)","DOI":"10.1145\/1866307.1866370"},{"key":"13_CR11","unstructured":"Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of USENIX Security, vol. 14, pp. 12\u201312 (2005)"},{"issue":"3","key":"13_CR12","doi-asserted-by":"publisher","first-page":"113","DOI":"10.1109\/TIT.1956.1056813","volume":"2","author":"N Chomsky","year":"1956","unstructured":"Chomsky, N.: Three models for the description of language. IRE Trans. Inf. Theory 2(3), 113\u2013124 (1956)","journal-title":"IRE Trans. Inf. Theory"},{"key":"13_CR13","unstructured":"Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of USENIX Security, vol. 7, p. 5 (1998)"},{"key":"13_CR14","unstructured":"Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems: a secretless framework for security through diversity. In: Proceedings of USENIX Security, vol. 15 (2006)"},{"issue":"2","key":"13_CR15","first-page":"222","volume":"13","author":"DE Denning","year":"1987","unstructured":"Denning, D.E.: An intrusion-detection model. IEEE TSE 13(2), 222\u2013232 (1987)","journal-title":"IEEE TSE"},{"key":"13_CR16","doi-asserted-by":"crossref","unstructured":"Endler, D.: Intrusion detection: applying machine learning to solaris audit data. In: Proceedings of ACSAC, pp. 268\u2013279, December 1998","DOI":"10.1109\/CSAC.1998.738647"},{"key":"13_CR17","doi-asserted-by":"crossref","unstructured":"Eskin, E., Lee, W., Stolfo, S.: Modeling system calls for intrusion detection with dynamic window sizes. In: Proceedings of DARPA Information Survivability Conference and Exposition II, vol.1, pp. 165\u2013175 (2001)","DOI":"10.1109\/DISCEX.2001.932213"},{"key":"13_CR18","unstructured":"Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of IEEE Security and Privacy (2003)"},{"key":"13_CR19","unstructured":"Feng, H., Giffin, J., Huang, Y., Jha, S., Lee, W., Miller, B.: Formalizing sensitivity in static analysis for intrusion detection. In: Proceedings of IEEE Security and Privacy, pp. 194\u2013208, May 2004"},{"key":"13_CR20","unstructured":"Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of USENIX Security, pp. 241\u2013256 (2006)"},{"key":"13_CR21","doi-asserted-by":"crossref","unstructured":"Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: Proceedings of ACSAC, pp. 418\u2013430, December 2008","DOI":"10.1109\/ACSAC.2008.54"},{"key":"13_CR22","doi-asserted-by":"crossref","unstructured":"Forrest, S., Perelson, A., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: Proceedings of IEEE Security and Privacy, pp. 202\u2013212, May 1994","DOI":"10.1109\/RISP.1994.296580"},{"key":"13_CR23","unstructured":"Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of IEEE Security and Privacy, pp. 120\u2013128 (1996)"},{"key":"13_CR24","unstructured":"Gao, D., Reiter, M.K., Song, D.: On gray-box program tracking for anomaly detection. In: Proceedings of USENIX Security, vol. 13, p. 8 (2004)"},{"key":"13_CR25","doi-asserted-by":"crossref","unstructured":"Gao, D., Reiter, M.K., Song, D.: Behavioral distance for intrusion detection. In: Proceedings of RAID, pp. 63\u201381 (2006)","DOI":"10.1007\/11663812_4"},{"key":"13_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1007\/11856214_2","volume-title":"Recent Advances in Intrusion Detection","author":"D Gao","year":"2006","unstructured":"Gao, D., Reiter, M.K., Song, D.: Behavioral distance measurement using hidden Markov models. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 19\u201340. Springer, Heidelberg (2006)"},{"key":"13_CR27","unstructured":"Ghosh, A.K., Schwartzbard, A.: A study in using neural networks for anomaly and misuse detection. In: Proceedings of USENIX Security, vol. 8, p. 12 (1999)"},{"key":"13_CR28","doi-asserted-by":"crossref","unstructured":"Giffin, J.T., Dagon, D., Jha, S., Lee, W., Miller, B.P.: Environment-sensitive intrusion detection. In: Proceedings of RAID, pp. 185\u2013206 (2006)","DOI":"10.1007\/11663812_10"},{"key":"13_CR29","unstructured":"Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: Proceedings of USENIX Security, pp. 61\u201379 (2002)"},{"key":"13_CR30","unstructured":"Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: Proceedings of NDSS (2004)"},{"key":"13_CR31","doi-asserted-by":"crossref","unstructured":"Gopalakrishna, R., Spafford, E.H., Vitek, J.: Efficient intrusion detection using automaton inlining. In: Proceedings of IEEE Security and Privacy, pp. 18\u201331, May 2005","DOI":"10.1109\/SP.2005.1"},{"key":"13_CR32","doi-asserted-by":"crossref","unstructured":"Gu, Z., Pei, K., Wang, Q., Si, L., Zhang, X., Xu, D.: Leaps: detecting camouflaged attacks with statistical learning guided by program analysis. In: Processing of DSN, June 2015","DOI":"10.1109\/DSN.2015.34"},{"key":"13_CR33","unstructured":"Hofmeyr, S.: Primary response technical white paper. http:\/\/www.ttivanguard.com\/austinreconn\/primaryresponse.pdf . Accessed August 2015"},{"key":"13_CR34","volume-title":"Introduction to Automata Theory, Languages, and Computation","author":"JE Hopcroft","year":"1979","unstructured":"Hopcroft, J.E.: Introduction to Automata Theory, Languages, and Computation. Pearson Education India, New Delhi (1979)"},{"key":"13_CR35","unstructured":"Inoue, H., Somayaji, A.: Lookahead pairs and full sequences: a tale of two anomaly detection methods. In: Proceedings of ASIA, pp. 9\u201319 (2007)"},{"issue":"5","key":"13_CR36","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1109\/52.605929","volume":"14","author":"A Kosoresow","year":"1997","unstructured":"Kosoresow, A., Hofmeyer, S.: Intrusion detection via system call traces. IEEE Softw. 14(5), 35\u201342 (1997)","journal-title":"IEEE Softw."},{"key":"13_CR37","doi-asserted-by":"crossref","unstructured":"Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In: Proceedings of ACSAC, pp. 14\u201323, December 2003","DOI":"10.1109\/CSAC.2003.1254306"},{"key":"13_CR38","unstructured":"Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating mimicry attacks using static binary analysis. In: Proceedings of USENIX Security, vol. 14, p. 11 (2005)"},{"key":"13_CR39","unstructured":"Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: Proceedings of USENIX OSDI, pp. 147\u2013163 (2014)"},{"key":"13_CR40","unstructured":"Lee, W., Stolfo, S.J.: Data mining approaches for intrusion detection. In: Proceedings of USENIX Security, vol. 7, p. 6 (1998)"},{"issue":"5","key":"13_CR41","doi-asserted-by":"publisher","first-page":"439","DOI":"10.1016\/S0167-4048(02)00514-X","volume":"21","author":"Y Liao","year":"2002","unstructured":"Liao, Y., Vemuri, V.: Use of k-nearest neighbor classifier for intrusion detection. Comput. Secur. 21(5), 439\u2013448 (2002)","journal-title":"Comput. Secur."},{"key":"13_CR42","unstructured":"Liebchen, C., Negro, M., Larsen, P., Davi, L., Sadeghi, A.R., Crane, S., Qunaibit, M., Franz, M., Conti, M.: Losing control: on the effectiveness of control-flow integrity under stack attacks. In: Proceedings of ACM CCS (2015)"},{"key":"13_CR43","doi-asserted-by":"crossref","unstructured":"Liu, Z., Bridges, S.M., Vaughn, R.B.: Combining static analysis and dynamic learning to build accurate intrusion detection models. In: Proceedings of IWIA, pp. 164\u2013177, March 2005","DOI":"10.1109\/IWIA.2005.6"},{"issue":"4","key":"13_CR44","first-page":"381","volume":"7","author":"F Maggi","year":"2010","unstructured":"Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE TDSC 7(4), 381\u2013395 (2010)","journal-title":"IEEE TDSC"},{"key":"13_CR45","doi-asserted-by":"crossref","unstructured":"Marceau, C.: Characterizing the behavior of a program using multiple-length n-grams. In: Proceedings of NSPW, pp. 101\u2013110 (2000)","DOI":"10.1145\/366173.366197"},{"issue":"1","key":"13_CR46","doi-asserted-by":"publisher","first-page":"61","DOI":"10.1145\/1127345.1127348","volume":"9","author":"D Mutz","year":"2006","unstructured":"Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM TISSEC 9(1), 61\u201393 (2006)","journal-title":"ACM TISSEC"},{"issue":"6","key":"13_CR47","doi-asserted-by":"publisher","first-page":"577","DOI":"10.1145\/2666356.2594295","volume":"49","author":"B Niu","year":"2014","unstructured":"Niu, B., Tan, G.: Modular control-flow integrity. SIGPLAN Not. 49(6), 577\u2013587 (2014)","journal-title":"SIGPLAN Not."},{"key":"13_CR48","volume-title":"Computational Complexity","author":"CH Papadimitriou","year":"2003","unstructured":"Papadimitriou, C.H.: Computational Complexity. John Wiley and Sons Ltd., New York (2003)"},{"key":"13_CR49","doi-asserted-by":"crossref","unstructured":"Pullum, G.K.: Context-freeness and the computer processing of human languages. In: Proceedings of ACL, Stroudsburg, PA, USA, pp. 1\u20136 (1983)","DOI":"10.3115\/981311.981313"},{"key":"13_CR50","doi-asserted-by":"crossref","unstructured":"Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of IEEE Security and Privacy, pp. 144\u2013155 (2001)","DOI":"10.1109\/SECPRI.2001.924295"},{"key":"13_CR51","doi-asserted-by":"crossref","unstructured":"Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proceedings of ACM CCS, pp. 552\u2013561 (2007)","DOI":"10.1145\/1315245.1315313"},{"key":"13_CR52","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-540-74320-0_2","volume-title":"Recent Advances in Intrusion Detection","author":"M Sharif","year":"2007","unstructured":"Sharif, M., Singh, K., Giffin, J.T., Lee, W.: Understanding precision in host based intrusion detection. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 21\u201341. Springer, Heidelberg (2007)"},{"key":"13_CR53","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1007\/978-94-009-3401-6_12","volume-title":"The Formal Complexity of Natural Language","author":"SM Shieber","year":"1987","unstructured":"Shieber, S.M.: Evidence against the context-freeness of natural language. In: Kulas, J., Fetzer, J.H., Rankin, T.L. (eds.) The Formal Complexity of Natural Language, vol. 33, pp. 320\u2013334. Springer, Heidelberg (1987)"},{"key":"13_CR54","doi-asserted-by":"crossref","unstructured":"Shu, X., Yao, D., Ramakrishnan, N.: Unearthing stealthy program attacks buried in extremely long execution paths. In: Proceedings of ACM CCS (2015)","DOI":"10.1145\/2810103.2813654"},{"key":"13_CR55","doi-asserted-by":"crossref","unstructured":"Sufatrio, Yap, R.: Improving host-based IDS with argument abstraction to prevent mimicry attacks. In: Proceedings of RAID, pp. 146\u2013164 (2006)","DOI":"10.1007\/11663812_8"},{"key":"13_CR56","doi-asserted-by":"crossref","unstructured":"Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: Proceedings of IEEE Security and Privacy, pp. 48\u201362 (2013)","DOI":"10.1109\/SP.2013.13"},{"issue":"6","key":"13_CR57","first-page":"875","volume":"15","author":"G Tandon","year":"2006","unstructured":"Tandon, G., Chan, P.K.: On the learning of system call attributes for host-based anomaly detection. IJAIT 15(6), 875\u2013892 (2006)","journal-title":"IJAIT"},{"key":"13_CR58","unstructured":"Vendicator: StackShield. http:\/\/www.angelfire.com\/sk\/stackshield\/ . Accessed August 2015"},{"key":"13_CR59","doi-asserted-by":"crossref","unstructured":"Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of IEEE Security and Privacy, pp. 156\u2013168 (2001)","DOI":"10.1109\/SECPRI.2001.924296"},{"key":"13_CR60","doi-asserted-by":"crossref","unstructured":"Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of ACM CCS, pp. 255\u2013264 (2002)","DOI":"10.1145\/586143.586145"},{"key":"13_CR61","doi-asserted-by":"crossref","unstructured":"Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of IEEE S&P, pp. 133\u2013145 (1999)","DOI":"10.1109\/SECPRI.1999.766910"},{"key":"13_CR62","doi-asserted-by":"crossref","unstructured":"Wee, K., Moon, B.: Automatic generation of finite state automata for detecting intrusions using system call sequences. In: Proceedings of MMM-ACNS (2003)","DOI":"10.1007\/978-3-540-45215-7_17"},{"key":"13_CR63","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"110","DOI":"10.1007\/3-540-39945-3_8","volume-title":"Recent Advances in Intrusion Detection","author":"A Wespi","year":"2000","unstructured":"Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Debar, H., M\u00e9, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 110\u2013129. Springer, Heidelberg (2000)"},{"key":"13_CR64","doi-asserted-by":"crossref","unstructured":"Xu, K., Yao, D., Ryder, B.G., Tian, K.: Probabilistic program modeling for high-precision anomaly classification. In: Proceedings of IEEE CSF (2015)","DOI":"10.1109\/CSF.2015.37"}],"container-title":["Lecture Notes in Computer Science","Research in Attacks, Intrusions, and Defenses"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-26362-5_13","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,5,31]],"date-time":"2025-05-31T04:26:21Z","timestamp":1748665581000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-26362-5_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015]]},"ISBN":["9783319263618","9783319263625"],"references-count":64,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-26362-5_13","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015]]}}}