Archive for the 'Low-level' Category

Learning Program Behavior Profiles for Intrusion Detection

Published
by
Michal Piekarczyk
on February 21, 2007
in Low-level and Security Engineering
. Comments

Here’s a presentation, “Learning Program Behavior Profiles for Intrusion Detection“, intended to talk about a few neural network approaches to the problem of detecting anomalous behavior in a network setting. The material is taken from a 1999 paper, of the same name as the post, by Anup Ghosh, Aaron Schwartzbard, et al. from Reliable Software Technologies Corp., under Usenix. The truth is there are many other alternate machine learning approaches alive and well out there not covered in this paper that have more mathematically dependable results, while neural nets work almost magically without too many people understanding why, lacking the sufficient proofs. However, I think there is still value in understanding older methods even though a decade has been enough to cover the nets in dust. Another point is that though this group does present well above average results in its paper which demonstrate that the method can be used for less critical networks, they are not acceptable for companies and orgs that don’t have room for errors.

The original paper can be found listed under Usenix.


Prodding programs

Published
by
Yan Ivnitskiy
on February 6, 2007
in Code, Low-level, Operating Systems and Reverse Engineering
. Comments

I will try to keep this to the point. Auto-completion on the terminal is something we all love and it makes using a UNIX system and running commands far more pleasant. Most shells can auto-complete path names, binary names, and built in commands. Bash goes further and supports auto-completing user names, hosts and a few other trivial things. No shell that I know of has ever attempted to auto-complete the arguments that the binaries take. Leaving out support for this makes sense, as there is no common way for a binary to store the arguments it can take inside the program binary, and it is bound to be a porting nightmare.

Keeping this in mind, I realized that almost every single UNIX binary gets its arguments from the shell in a standard, POSIX-compliant way. The getopt libc function call parses the input from the shell in to usable internal flags. If one were to peek inside what each binary gives to getopt(), one would find out all arguments it is expecting to take and provide more insight about the executable! This is what I have done and what the remainder of the post is about.

This is what my previous post related to. Now I realize this is a slightly silly goal. My primary reason for doing this is to learn the techniques I’ve used to get there, which I simply could not learn without experimentation and a concrete goal in mind. The way this problem was attacked as follows:

Continue reading ‘Prodding programs’