Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2006: Recent Advances in Intrusion Detection pp 41–60Cite as

Automated Discovery of Mimicry Attacks

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 4219))

Abstract

Model-based anomaly detection systems restrict program execution by a predefined model of allowed system call sequences. These systems are useful only if they detect actual attacks. Previous research developed manually-constructed mimicry and evasion attacks that avoided detection by hiding a malicious series of system calls within a valid sequence allowed by the model. Our work helps to automate the discovery of such attacks. We start with two models: a program model of the application’s system call behavior and a model of security-critical operating system state. Given unsafe OS state configurations that describe the goals of an attack, we then find system call sequences allowed as valid execution by the program model that produce the unsafe configurations. Our experiments show that we can automatically find attack sequences in models of programs such as wu-ftpd and passwd that previously have only been discovered manually. When undetected attacks are present, we frequently find the sequences with less than 2 seconds of computation.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ball, T., Rajamani, S.K.: Bebop: A symbolic model checker for boolean programs. In: 7th International SPIN Workshop on Model Checking of Software. Stanford, California (2000)

    Google Scholar 

  2. Besson, F., Jensen, T., Métayer, D.L., Thorn, T.: Model checking security properties of control-flow graphs. Journal of Computer Security 9, 217–250 (2001)

    Google Scholar 

  3. Chen, H., Wagner, D.: MOPS: An infrastructure for examining security properties of software. In: 9th ACM Conference on Computer and Communications Security (CCS), Washington, DC (November 2002)

    Google Scholar 

  4. Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (2000)

    Google Scholar 

  5. Esparza, J., Hansel, D., Rossmanith, P., Schwoon, S.: Efficient algorithms for model checking pushdown systems. In: Computer Aided Verification (CAV), Chicago, Illinois (July 2000)

    Google Scholar 

  6. Feng, H.H., Giffin, J.T., Huang, Y., Jha, S., Lee, W., Miller, B.P.: Formalizing sensitivity in static analysis for intrusion detection. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2004)

    Google Scholar 

  7. Forrest, S.: Data sets—synthetic FTP (1998), http://www.cs.unm.edu/~immsec/data/FTP/UNM/-normal/synth/

  8. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for UNIX processes. In: IEEE Symposium on Security and Privacy, Oakland, California (May 1996)

    Google Scholar 

  9. Gao, D., Reiter, M.K., Song, D.: On gray-box program tracking for anomaly detection. In: USENIX Security Symposium, San Diego, California (August 2004)

    Google Scholar 

  10. Giffin, J.T., Dagon, D., Jha, S., Lee, W., Miller, B.P.: Environment-sensitive intrusion detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 185–206. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  11. Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: 11th USENIX Security Symposium, San Francisco, California (August 2002)

    Google Scholar 

  12. Gopalakrishna, R., Spafford, E.H., Vitek, J.: Efficient intrusion detection using automaton inlining. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2005)

    Google Scholar 

  13. Guttman, J.D., Herzog, A.L., Ramsdell, J.D., Skorupka, C.W.: Verifying information flow goals in Security-Enhanced Linux. Journal of Computer Security 13, 115–134 (2005)

    Google Scholar 

  14. Lam, L.C., Chiueh, T.-c.: Automatic extraction of accurate application-specific sandboxing policy. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 1–20. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  15. Ramakrishnan, C.R., Sekar, R.: Model-based vulnerability analysis of computer systems. In: 2nd International Workshop on Verification, Model Checking and Abstract Interpretation, Pisa, Italy (September 1998)

    Google Scholar 

  16. Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000)

    Article  Google Scholar 

  17. Schwoon, S.: Model-Checking Pushdown Systems. Ph.D. dissertation, Technische Universität München (June 2002)

    Google Scholar 

  18. Schwoon, S.: Moped—a model-checker for pushdown systems (2006), http://www.fmi.uni-stuttgart.de/szs/tools/moped/

  19. Sekar, R., Bendre, M., Bollineni, P., Dhurjati, D.: A fast automaton-based method for detecting anomalous program behaviors. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2001)

    Google Scholar 

  20. Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 54. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  21. Tan, K., Maxion, R.A.: “Why 6?” Defining the operational limits of stide, an anomaly based intrusion detector. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2002)

    Google Scholar 

  22. Tan, K., McHugh, J., Killourhy, K.: Hiding intrusions: From the abnormal to the normal and beyond. In: 5th International Workshop on Information Hiding, Noordwijkerhout, Netherlands (October 2002)

    Google Scholar 

  23. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: IEEE Symposium on Security and Privacy, Oakland, California (May 2001)

    Google Scholar 

  24. Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: 9th ACM Conference on Computer and Communications Security, Washington, DC (November 2002)

    Google Scholar 

  25. Walker, B.J., Kemmerer, R.A., Popek, G.J.: Specification and verification of the UCLA Unix security kernel. Communications of the ACM 23(2) (February 1980)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Sciences Department, University of Wisconsin,  

    Jonathon T. Giffin, Somesh Jha & Barton P. Miller

Authors
  1. Jonathon T. Giffin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Somesh Jha
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Barton P. Miller
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Giffin, J.T., Jha, S., Miller, B.P. (2006). Automated Discovery of Mimicry Attacks. In: Zamboni, D., Kruegel, C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11856214_3

Download citation

  • DOI: https://doi.org/10.1007/11856214_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-39723-6

  • Online ISBN: 978-3-540-39725-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation