Intrusion detection/prevention using behavior specifications

摘要: In this dissertation, we present an approach to detect attacks on computing infrastructures and launch responses that prevent or minimize the damage caused by these attacks. Our is specification based, in which, security-relevant behavior of a system specified using high level language. Attacks are detected as deviations from enforcement algorithm. Previous work specifying enforcing security fall short addressing key requirements such which are: expressive/concise language with unambiguous semantics efficient algorithm correct respect The result approaches expressive behavioral properties cannot be specified, them not efficient, they do provide sufficient confidence their regular expressions over events (REEs) based computational model REEs, called extended finite automata (EFA). We unambiguous/precise REEs prove correctness completeness them. This provides assurance enforced behavior. also developed translates REE into fast pattern matching automaton forms basis In addition, EFAs were used develop prototype intrusion detection/prevention for UNIX operating system. was designed following two observations: regardless nature attack, will ultimately calls made attacked processes, no can if program behaving normally. concrete modeling (BMSL) specify well any detected. BMSL specifications capture behaviors programs sequences arguments, programs. mechanism call interposing. Intercepted redirected corresponding process making calls. describe problems interposition most commonly detection techniques, kernel user-level, propose novel hybrid interposition. address challenge splitting functionality between user-levels. (Abstract shortened UMI.)