Needles in a Haystack: Using PORT to Catch Bad Behaviors within Application Recordings

Preston Moore, Thomas Wies, Marc Waldman, Phyllis Frankl, Justin Cappos

2022

Abstract

Earlier work has proven that information extracted from recordings of an application’s activity can be tremendously valuable. However, given the many requests that pass between applications and external entities, it has been difficult to isolate the handful of patterns that indicate the potential for failure. In this paper, we propose a method that harnesses proven event processing techniques to find those problematic patterns. The key addition is PORT, a new domain specific language which, when combined with its event stream recognition and transformation engine, enables users to extract patterns in system call recordings and other streams, and then rewrite input activity on the fly. The former task can spot activity that indicates a bug, while the latter produces a modified stream for use in more active testing. We evaluated PORT’s capabilities in several ways, starting with recreating the mutators and checkers utilized by an earlier work called SEA to modify and replay the results of system calls. Our re-implementations achieved the same efficacy using fewer lines of code. We also illustrated PORT’s extensibility by adding support for detecting malicious USB commands within recorded traffic.

Download


Paper Citation


in Harvard Style

Moore P., Wies T., Waldman M., Frankl P. and Cappos J. (2022). Needles in a Haystack: Using PORT to Catch Bad Behaviors within Application Recordings. In Proceedings of the 17th International Conference on Software Technologies - Volume 1: ICSOFT, ISBN 978-989-758-588-3, pages 137-145. DOI: 10.5220/0011142300003266


in Bibtex Style

@conference{icsoft22,
author={Preston Moore and Thomas Wies and Marc Waldman and Phyllis Frankl and Justin Cappos},
title={Needles in a Haystack: Using PORT to Catch Bad Behaviors within Application Recordings},
booktitle={Proceedings of the 17th International Conference on Software Technologies - Volume 1: ICSOFT,},
year={2022},
pages={137-145},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0011142300003266},
isbn={978-989-758-588-3},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 17th International Conference on Software Technologies - Volume 1: ICSOFT,
TI - Needles in a Haystack: Using PORT to Catch Bad Behaviors within Application Recordings
SN - 978-989-758-588-3
AU - Moore P.
AU - Wies T.
AU - Waldman M.
AU - Frankl P.
AU - Cappos J.
PY - 2022
SP - 137
EP - 145
DO - 10.5220/0011142300003266