Sistemy i Sredstva Informatiki [Systems and Means of Informatics]
RUS  ENG    JOURNALS   PEOPLE   ORGANISATIONS   CONFERENCES   SEMINARS   VIDEO LIBRARY   PACKAGE AMSBIB  
General information
Latest issue
Archive
Impact factor

Search papers
Search references

RSS
Latest issue
Current issues
Archive issues
What is RSS



Sistemy i Sredstva Inform.:
Year:
Volume:
Issue:
Page:
Find






Personal entry:
Login:
Password:
Save password
Enter
Forgotten password?
Register


Sistemy i Sredstva Informatiki [Systems and Means of Informatics], 2021, Volume 31, Issue 4, Pages 48–60
DOI: https://doi.org/10.14357/08696527210405
(Mi ssi797)
 

On one method for detecting exploitation of vulnerabilities and its parameters

Yu. V. Kosolapov

Institute for Mathematics, Mechanics, and Computer Science named after I. I. Vorovich, Southern Federal University, 8a Milchakova Str., Rostov-on-Don 344090, Russian Federation
References:
Abstract: When a program vulnerability is successfully exploited, the exploit often calls some system function. Therefore, one of the possible ways to detect exploitation of a vulnerability of a specific program is to check for atypical distance between the call with the number $i$ and the call with the number $i-j$ where $j \in \{1, \ldots, T \}$, $T \in \mathbb {N} $. Distance is understood as the difference between the addresses of the call of these functions and the typicality is determined by checking whether it belongs to the distance profile. In addition to the $T$ parameter, the detection algorithm uses the parameter $W (\in \mathbb {N})$: it is the number of profiles against which the call is checked. In this case, for $j \in \{1, \ldots, W \}$, the profile with the number $j$ is constructed from pairs of calls from a legitimate sequence, the difference of call indices in which is equal to $j$. The aim of this work is, on the one hand, to describe the detection algorithm and, on the other, to provide an experimental estimate of the sufficient values of the parameters $W$ and $T$. As a result, in particular, it was found that the values of these parameters depend on the set of monitored functions; therefore, for each set of functions (and each protected program), these parameters must be found separately.
Keywords: software vulnerabilities, distance between function calls, program protection.
Received: 20.08.2020
Document Type: Article
Language: Russian
Citation: Yu. V. Kosolapov, “On one method for detecting exploitation of vulnerabilities and its parameters”, Sistemy i Sredstva Inform., 31:4 (2021), 48–60
Citation in format AMSBIB
\Bibitem{Kos21}
\by Yu.~V.~Kosolapov
\paper On one method for detecting exploitation of~vulnerabilities and~its~parameters
\jour Sistemy i Sredstva Inform.
\yr 2021
\vol 31
\issue 4
\pages 48--60
\mathnet{http://mi.mathnet.ru/ssi797}
\crossref{https://doi.org/10.14357/08696527210405}
Linking options:
  • https://www.mathnet.ru/eng/ssi797
  • https://www.mathnet.ru/eng/ssi/v31/i4/p48
  • Citing articles in Google Scholar: Russian citations, English citations
    Related articles in Google Scholar: Russian articles, English articles
    Системы и средства информатики
     
      Contact us:
     Terms of Use  Registration to the website  Logotypes © Steklov Mathematical Institute RAS, 2024