Taxonomy and classification of automatic monitoring of program security vulnerability exploitations

Software applications (programs) are implemented in a wide variety of languages and run on different execution environments. Programs contain vulnerabilities which can be detected before their deployment. Nevertheless, there exist some program vulnerabilities, which do not surface until a program is operational. No matter how much effort has been put during the development phases, building large vulnerability-free programs has proven extremely difficult in practice. Given that, it is very important to have a tool that can be used for online monitoring of programs in the operational stage. The tool can help to mitigate the consequences of some vulnerability exploitations, by early detection of attacks at runtime. Currently, many monitoring approaches have been proposed and applied in practice. However, there is no classification of these approaches to understand their common characteristics and limitations. In this paper, we present a taxonomy and classification of the state of the art approaches employed for monitoring program vulnerability exploitations (or attacks). We first classify the existing approaches based on a set of characteristics which are common in online attack detection approaches. Then, we present a taxonomy by classifying the approaches based on monitoring aspects that primarily differentiate among the approaches. We also discuss open issues and future research direction in the area of program vulnerability exploitation monitoring. The study will enable practitioners and researchers to differentiate among existing monitoring approaches. It will provide a guideline to consider the desired characteristics while developing monitoring approaches.