{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T23:15:12Z","timestamp":1763507712508,"version":"3.41.0"},"reference-count":66,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2017,9,20]],"date-time":"2017-09-20T00:00:00Z","timestamp":1505865600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"ARO YIP","award":["W911NF-14-1-0535"],"award-info":[{"award-number":["W911NF-14-1-0535"]}]},{"name":"ONR","award":["N00014-13-1-0016"],"award-info":[{"award-number":["N00014-13-1-0016"]}]},{"DOI":"10.13039\/100006602","name":"AFRL","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100006602","id-type":"DOI","asserted-by":"crossref"}]},{"name":"ARL","award":["W911NF-13-2-0045"],"award-info":[{"award-number":["W911NF-13-2-0045"]}]},{"DOI":"10.13039\/100006754","name":"Army Research Laboratory","doi-asserted-by":"crossref","award":["W911NF-13-2-0045"],"award-info":[{"award-number":["W911NF-13-2-0045"]}],"id":[{"id":"10.13039\/100006754","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100000185","name":"DARPA","doi-asserted-by":"crossref","award":["FA8650-15-C-7561"],"award-info":[{"award-number":["FA8650-15-C-7561"]}],"id":[{"id":"10.13039\/100000185","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2017,11,30]]},"abstract":"<jats:p>Intertwined developments between program attacks and defenses witness the evolution of program anomaly detection methods. Emerging categories of program attacks, e.g., non-control data attacks and data-oriented programming, are able to comply with normal trace patterns at local views. This article points out the deficiency of existing program anomaly detection models against new attacks and presents long-span behavior anomaly detection (LAD), a model based on mildly context-sensitive grammar verification. The key feature of LAD is its reasoning of correlations among arbitrary events that occurred in long program traces. It extends existing correlation analysis between events at a stack snapshot, e.g., paired call and ret, to correlation analysis among events that historically occurred during the execution. The proposed method leverages specialized machine learning techniques to probe normal program behavior boundaries in vast high-dimensional detection space. Its two-stage modeling\/detection design analyzes event correlation at both binary and quantitative levels. Our prototype successfully detects all reproduced real-world attacks against sshd, libpcre, and sendmail. The detection procedure incurs 0.1 ms to 1.3 ms overhead to profile and analyze a single behavior instance that consists of tens of thousands of function call or system call events.<\/jats:p>","DOI":"10.1145\/3105761","type":"journal-article","created":{"date-parts":[[2017,9,20]],"date-time":"2017-09-20T12:35:19Z","timestamp":1505910919000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":17,"title":["Long-Span Program Behavior Modeling and Attack Detection"],"prefix":"10.1145","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7381-7041","authenticated-orcid":false,"given":"Xiaokui","family":"Shu","sequence":"first","affiliation":[{"name":"IBM Research"}]},{"given":"Danfeng (Daphne)","family":"Yao","sequence":"additional","affiliation":[{"name":"Virginia Tech"}]},{"given":"Naren","family":"Ramakrishnan","sequence":"additional","affiliation":[{"name":"Virginia Tech"}]},{"given":"Trent","family":"Jaeger","sequence":"additional","affiliation":[{"name":"Pennsylvania State University"}]}],"member":"320","published-online":{"date-parts":[[2017,9,20]]},"reference":[{"volume-title":"Proceedings of the Network and Distributed System Security Symposium. The Internet Society","year":"2009","author":"Bayer Ulrich","key":"e_1_2_1_1_1"},{"volume-title":"A Linguist\u2019s Survey of Pumping Lemmata. Master\u2019s thesis","author":"Behrenfeldt Johan","key":"e_1_2_1_2_1"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.12"},{"volume-title":"Proceedings of the Network and Distributed System Security Symposium. The Internet Society","year":"2007","author":"Brumley David","key":"e_1_2_1_4_1"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2338965.2336768"},{"volume":"14","volume-title":"Proceedings of the USENIX Security Symposium","author":"Chen Shuo","key":"e_1_2_1_6_1"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.5555\/1776434.1776440"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1987.232894"},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society","author":"Feng Henry Hanping","key":"e_1_2_1_9_1"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.5555\/829515.830554"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2008.54"},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society","author":"Forrest Stephanie","key":"e_1_2_1_12_1"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.11"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-02918-9_13"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_2"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3037697.3037716"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.5555\/784589.784655"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/11663812_10"},{"volume-title":"Proceedings of the Network and Distributed System Security Symposium. The Internet Society","author":"Giffin Jonathon T.","key":"e_1_2_1_19_1"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.1"},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the USENIX Security Symposium","volume":"7","author":"Gu Guofei","year":"2007"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2015.34"},{"key":"e_1_2_1_23_1","unstructured":"Heartbleed 2014. The Heartbleed Bug. Retrieved from http:\/\/heartbleed.com\/. Heartbleed 2014. The Heartbleed Bug. Retrieved from http:\/\/heartbleed.com\/."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831155"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.62"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"volume-title":"Proceedings of the International Conference on Communication Systems and Networks. IEEE","author":"Hubballi N.","key":"e_1_2_1_27_1"},{"volume-title":"Proceedings of the Annual Symposium on Information Assurance. ASIA","year":"2007","author":"Inoue Hajime","key":"e_1_2_1_28_1"},{"volume-title":"Md Saiful Islam, and Morshed U. Chowdhury","year":"2011","author":"Islam Md Rafiqul","key":"e_1_2_1_29_1"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2030376.2030377"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10766-012-0193-x"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2815400.2815412"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/52.605929"},{"key":"e_1_2_1_35_1","unstructured":"Jeffrey P. Lanza. 2001. SSH CRC32 attack detection code contains remote integer overflow. (2001). Vulnerability Notes Database. Jeffrey P. Lanza. 2001. SSH CRC32 attack detection code contains remote integer overflow. (2001). Vulnerability Notes Database."},{"volume-title":"Proceedings of the USENIX Security Symposium. USENIX Association","author":"Lee Wenke","key":"e_1_2_1_36_1"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/IWIA.2005.6"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2008.69"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1142\/S0218213014600239"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1132026.1132027"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_5"},{"key":"e_1_2_1_42_1","unstructured":"Paradyn 2016. The Paradyn Project. Retrieved from http:\/\/www.paradyn.org\/. Paradyn 2016. The Paradyn Project. Retrieved from http:\/\/www.paradyn.org\/."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1080\/14786440109462720"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2008.11.011"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM.2006.165"},{"volume-title":"Proceedings of the USENIX Symposium on Networked Systems Design and Implementation. USENIX Association","year":"2010","author":"Perdisci Roberto","key":"e_1_2_1_46_1"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.3115\/981311.981313"},{"volume":"12","volume-title":"Proceedings of the Annual Conference on Neural Information Processing Systems","author":"Sch\u00f6lkopf Bernhard","key":"e_1_2_1_48_1"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.5555\/882495.884433"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030124"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.5555\/1776434.1776437"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2976750"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813654"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26362-5_13"},{"key":"e_1_2_1_55_1","doi-asserted-by":"crossref","unstructured":"Alexander Sotirov. 2007. Heap Feng Shui in JavaScript. (2007). Black Hat Europe. Alexander Sotirov. 2007. Heap Feng Shui in JavaScript. (2007). Black Hat Europe.","DOI":"10.1215\/00265667-2007-69-7"},{"key":"e_1_2_1_56_1","doi-asserted-by":"crossref","unstructured":"S. C. Sundaramurthy J. McHugh X. S. Ou S.R. Rajagopalan and M. Wesch. 2014. An anthropological approach to studying CSIRTs. IEEE Security 8 Privacy 12 5 (September 2014) 52--60. S. C. Sundaramurthy J. McHugh X. S. Ou S.R. Rajagopalan and M. Wesch. 2014. An anthropological approach to studying CSIRTs. IEEE Security 8 Privacy 12 5 (September 2014) 52--60.","DOI":"10.1109\/MSP.2014.84"},{"key":"e_1_2_1_57_1","unstructured":"Systemtap. 2006. SystemTap Overhead Test https:\/\/sourceware.org\/ml\/systemtap\/2006-q3\/msg00146.html. (2006). Systemtap. 2006. SystemTap Overhead Test https:\/\/sourceware.org\/ml\/systemtap\/2006-q3\/msg00146.html. (2006)."},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.21"},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society","author":"Wagner David","key":"e_1_2_1_59_1"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586145"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1999.766910"},{"volume-title":"Proceedings of the 46th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE","author":"Xu K.","key":"e_1_2_1_62_1"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2015.37"},{"volume":"166","volume-title":"Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop","author":"Ye Nong","key":"e_1_2_1_64_1"},{"volume-title":"Computer and Information Sciences","author":"Zanero Stefano","key":"e_1_2_1_65_1"},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590309"},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.01.002"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3105761","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3105761","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3105761","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,25]],"date-time":"2025-06-25T20:48:31Z","timestamp":1750884511000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3105761"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,9,20]]},"references-count":66,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2017,11,30]]}},"alternative-id":["10.1145\/3105761"],"URL":"https:\/\/doi.org\/10.1145\/3105761","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"type":"print","value":"2471-2566"},{"type":"electronic","value":"2471-2574"}],"subject":[],"published":{"date-parts":[[2017,9,20]]},"assertion":[{"value":"2016-07-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-05-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-09-20","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}