Skip to main content
SpringerLink
Log in
Book cover

Symposium on Self-Stabilizing Systems

SSS 2014: Stabilization, Safety, and Security of Distributed Systems pp 63–77Cite as

CloudSylla: Detecting Suspicious System Calls in the Cloud

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8756))

Abstract

To protect computer systems against the tremendous number of daily malware threats, security software is typically installed on individual end hosts and the responsibility to keep this software updated is often assigned to (inexperienced) users. A critical drawback of this strategy, especially in enterprise networks, is that a single unprotected client system might lead to severe attacks such as industrial espionage. To overcome this problem, a potential approach is to move the responsibility to utilize the latest detection mechanisms to a centralized, continuously maintained network service to identify suspicious behavior on end hosts and perform adequate actions once a client invokes malicious activities. In this paper, we propose a security approach called CloudSylla (Cloud-based SYscaLL Analysis) in which we utilize a centralized network service to analyze the clients’ activities directly at the API and system call level. This enables, among other advantages, a centralized management of signatures and a unified security policy. To evaluate the applicability of our approach, we implemented prototypes for desktop computers and mobile devices and found this approach to be applicable in practice as no substantial limitations of usability are caused on the client side.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Forrest, S., Hofmeyr, S., Somayaji, A.: The Evolution of System-Call Monitoring. In: Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC 2008, pp. 418–430. IEEE Computer Society, Washington, DC (2008)

    Google Scholar 

  2. Stinson, E., Mitchell, J.C.: Characterizing Bots’ Remote Control Behavior. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 89–108. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  3. Oberheide, J., Cooke, E., Jahanian, F.: CloudAV: N-Version Antivirus in the Network Cloud. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 91–106. USENIX Association, Berkeley (2008)

    Google Scholar 

  4. Harrison, K., Bordbar, B., Ali, S.T.T., Dalton, C.I., Norman, A.: A Framework for Detecting Malware in Cloud by Identifying Symptoms. In: Proceedings of the 2012 IEEE 16th International Enterprise Distributed Object Computing Conference, EDOC 2012, pp. 164–172. IEEE Computer Society, Washington, DC (2012)

    Chapter  Google Scholar 

  5. Oberheide, J., Veeraraghavan, K., Cooke, E., Flinn, J., Jahanian, F.: Virtualized In-Cloud Security Services for Mobile Devices. In: Proceedings of the First Workshop on Virtualization in Mobile Computing, MobiVirt 2008, pp. 31–35. ACM, New York (2008)

    Chapter  Google Scholar 

  6. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 139–154. USENIX Association, Berkeley (2008)

    Google Scholar 

  7. Bayer, U., Krügel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference (April 2006)

    Google Scholar 

  8. Knuth, D.E.: The Art of Computer Programming, 2nd edn. Sorting and Searching, vol. 3. Addison Wesley Longman Publishing Co., Inc., Redwood City (1998)

    Google Scholar 

  9. Virustotal: VirusTotal Private API v2.0 (2014)

    Google Scholar 

  10. Google: Safe Browsing API v2.0 (2014)

    Google Scholar 

  11. Rauen, M.: Madcodehook Framework (2014), http://madshi.net/

  12. Guarnieri, C.: Cuckoo Sandbox (2014), http://www.cuckoosandbox.org/

  13. Schneier, B., Kelsey, J.: Secure Audit Logs to Support Computer Forensics. ACM Trans. Inf. Syst. Secur. 2(2), 159–176 (1999)

    Article  Google Scholar 

  14. Wang, L., Li, Z., Chen, Y., Fu, Z., Li, X.: Thwarting Zero-Day Polymorphic Worms With Network-Level Length-Based Signature Generation. IEEE/ACM Trans. Netw. 18(1), 53–66 (2010)

    Article  Google Scholar 

  15. Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically Generating Models for Botnet Detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  16. Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic Analysis of Malware Behavior using Machine Learning. J. Comput. Secur. 19(4), 639–668 (2011)

    Google Scholar 

  17. Alexa Internet, Inc.: Top 1,000,000 Websites (2014)

    Google Scholar 

  18. Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)

    Google Scholar 

  19. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. J. Comput. Secur. 6(3), 151–180 (1998)

    Google Scholar 

  20. Mutz, D., Robertson, W., Vigna, G., Kemmerer, R.A.: Exploiting Execution Context for the Detection of Anomalous System Calls. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 1–20. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  21. Srivastava, A., Giffin, J.: Automatic Discovery of Parasitic Malware. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 97–117. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  22. Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: Behavior-Based Malware Detection System for Android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp. 15–26. ACM, New York (2011)

    Google Scholar 

  23. Martignoni, L., Paleari, R., Bruschi, D.: A Framework for Behavior-Based Malware Analysis in the Cloud. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 178–192. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany

    Marc Kührer, Johannes Hoffmann & Thorsten Holz

Authors
  1. Marc Kührer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Johannes Hoffmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thorsten Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institut d’informatique, Université de Neuchâtel, Rue Emile-Argand 11, 2000, Neuchâtel, Switzerland

    Pascal Felber

  2. Electrical and Computer Engineering Department, University of Texas at Austin, 1 University Station, 78712-0240, Austin, TX, USA

    Vijay Garg

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Kührer, M., Hoffmann, J., Holz, T. (2014). CloudSylla: Detecting Suspicious System Calls in the Cloud. In: Felber, P., Garg, V. (eds) Stabilization, Safety, and Security of Distributed Systems. SSS 2014. Lecture Notes in Computer Science, vol 8756. Springer, Cham. https://doi.org/10.1007/978-3-319-11764-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11764-5_5

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11763-8

  • Online ISBN: 978-3-319-11764-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation