Skip to main content
SpringerLink
Log in

Improving Host-Based IDS with Argument Abstraction to Prevent Mimicry Attacks

  • Conference paper
Book cover Recent Advances in Intrusion Detection (RAID 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

Abstract

A popular class of host-based Intrusion Detection Systems (IDS) are those based on comparing the system call trace of a process against a set of k-grams. However, the detection mechanism in such IDS can be evaded by cloaking an attack as a mimicry attack. In this paper, we give an algorithm that transforms a detectable attack into a mimicry attack. We demonstrate on a number of examples that using this algorithm, mimicry attacks can be easily constructed on self-based IDS with a set of k-grams and also a more precise graph profile representation. We enhance the IDS by making use of the system call arguments and process credentials. To avoid increasing the false positives, a supplied specification is used to abstract the system call arguments and process credentials. The specification takes into account what objects in the system that can be sensitive to potential attacks, and highlights the occurrence of “dangerous” operations. With this simple extension, we show that the robustness of the IDS is increased. Our preliminary experiments show that on our example programs and attacks, it was no longer possible to construct mimicry attacks. We also demonstrate that the enhanced IDS provides resistance to a variety of common attack strategies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6, 151–180 (1998)

    Google Scholar 

  2. Somayaji, A., Forrest, S.: Automated response using system-call delays. In: Proceedings of the 9th USENIX Security Symposium (2000)

    Google Scholar 

  3. Somayaji, A.: Operating system stability and security through process homeostasis. Ph.D. Thesis, University of New Mexico (2002)

    Google Scholar 

  4. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  5. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (2002)

    Google Scholar 

  6. Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Understanding an anomaly-based intrusion detection system using common exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 54. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  7. Tan, K.M.C., Maxion, R.A.: Determining the Operational Limits of an Anomaly-Based Intrusion Detector. IEEE Journal on Selected Areas in Communications, Special Issue on Design and Analysis Techniques for Security Assurance 21(1), 96–110 (2003)

    Google Scholar 

  8. Tan, K.M.C., Maxion, R.A.: Why 6? Defining the operational limits of stide, an anomaly-based intrusion detector. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (2002)

    Google Scholar 

  9. Gao, D., Reiter, M.K., Song, D.: On gray-Box program tracking for anomaly detection. In: Proceedings of the 13th USENIX Security Symposium (2004)

    Google Scholar 

  10. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  11. Feng, H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (2003)

    Google Scholar 

  12. Maxion, R.: Masquerade detection using enriched command lines. In: Proceedings of the International Conference on Dependable Systems & Networks, DSN 2003 (2003)

    Google Scholar 

  13. Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  14. Giffin, J., Jha, S., Miller, B.: Efficient context-sensitive intrusion detection. In: Proceedings of the 11th Network and Distributed System Security Symposium (2004)

    Google Scholar 

  15. Provos, N.: Improving host security with system call policies. In: Proceedings of the 12th USENIX Security Symposium (2003)

    Google Scholar 

  16. Pevzner, P.A.: L-tuple DNA sequencing: computer analysis. Journal of Biomolecular Structure and Dynamics 7, 63–74 (1989)

    Google Scholar 

  17. Aho, A.V., Ullman, J.D.: Foundations of Computer Science: C edn. W.H. Freeman & Co, New York (1995)

    Google Scholar 

  18. Bernaschi, M., Gabrielli, E., Mancini, L.V.: REMUS: A security-enhanced operating system. ACM Transactions on Information and System Security 5(1), 36–61 (2002)

    Article  Google Scholar 

  19. Garfinkel, S., Spafford, G.: Practical Unix Security, 2nd edn. O’Reilly and Associates, Sebastopol (1996)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Temasek Laboratories, National University of Singapore, 5 Sports Drive 2, Singapore, 117508, Singapore

    Sufatrio

  2. School of Computing, National University of Singapore, 3 Science Drive 2, Singapore, 117543, Singapore

    Roland H. C. Yap

Authors
  1. Sufatrio
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roland H. C. Yap
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA

    Alfonso Valdes

  2. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sufatrio, Yap, R.H.C. (2006). Improving Host-Based IDS with Argument Abstraction to Prevent Mimicry Attacks. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_8

Download citation

  • DOI: https://doi.org/10.1007/11663812_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31778-4

  • Online ISBN: 978-3-540-31779-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation