Understanding Precision in Host Based Intrusion Detection
作者: Monirul Sharif , Kapil Singh , Jonathon Giffin , Wenke Lee
DOI: 10.1007/978-3-540-74320-0_2
关键词:
摘要: Many host-based anomaly detection systems monitor process execution at the granularity of system calls. Other recently proposed schemes instead verify destinations control-flow transfers to prevent attack code. This paper formally analyzes and compares real based on these two philosophies in terms their capabilities, proves disproves several intuitions. We prove that for any system-call sequence model, under same (static or dynamic) program analysis technique, there always exists a more precise model. While hybrid approaches combining calls control flows intuitively seem advantageous, especially when binary constructs incomplete models, we they have no fundamental advantage over simpler models. Finally, utilize ideas our framework make external monitoring feasible level. Our experiments show imposes performance overhead comparable previous call while detecting synthetic world attacks as effectively an inlined monitor.
springer.com
sci-hub.st 参考文章(32)
Kymie M. C. Tan, Kevin S. Killourhy, Roy A. Maxion, Undermining an anomaly-based intrusion detection system using common exploits recent advances in intrusion detection. pp. 54- 73 ,(2002) , 10.1007/3-540-36084-0_4
Barton P. Miller, Somesh Jha, Jonathon T. Giffin, Efficient Context-Sensitive Intrusion Detection. network and distributed system security symposium. ,(2004)
Hossein Bidgoli, Handbook of Information Security John Wiley & Sons, Inc.. ,(2005)
Ulfar Erlingsson, Jay Ligatti, Martn Abadi, Mihai Budiu, Control-Flow Integrity - Principles, Implementations, and Applications computer and communications security. ,(2005)
Haizhi Xu, Wenliang Du, Steve J. Chapin, Context Sensitive Anomaly Monitoring of Process Control Flow To Detect Mimicry Attacks and Impossible Paths recent advances in intrusion detection. pp. 21- 38 ,(2004) , 10.1007/978-3-540-30143-1_2
Jonathon T. Giffin, Somesh Jha, Barton P. Miller, Automated Discovery of Mimicry Attacks Lecture Notes in Computer Science. pp. 41- 60 ,(2006) , 10.1007/11856214_3
David Wagner, Static Analysis and Software Assurance static analysis symposium. pp. 431- 431 ,(2001) , 10.1007/3-540-47764-0_25
Debin Gao, Dawn Song, Michael K. Reiter, On gray-box program tracking for anomaly detection usenix security symposium. pp. 8- 8 ,(2004)
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti, A theory of secure control flow formal methods. pp. 111- 124 ,(2005) , 10.1007/11576280_9
Aaron Schwartzbard, Michael Schatz, Anup K. Ghosh, Learning program behavior profiles for intrusion detection ID'99 Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1. pp. 6- 6 ,(1999)