Skip to main content
SpringerLink
Log in

Proxi-Annotated Control Flow Graphs: Deterministic Context-Sensitive Monitoring for Intrusion Detection

  • Conference paper
Distributed Computing and Internet Technology (ICDCIT 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3347))

Abstract

Model or specification based intrusion detection systems have been effective in detecting known and unknown host based attacks with few false alarms [12, 15]. In this approach, a model of program behavior is developed either manually, by using a high level specification language, or automatically, by static or dynamic analysis of the program. The actual program execution is then monitored using the modeled behavior; deviations from the modeled behavior are flagged as attacks. In this paper we discuss a novel model generated using static analysis of executables (binary code). Our key contribution is a model which is precise and runtime efficient. Specifically, we extend the efficient control flow graph (CFG) based program behavioral model, with context sensitive information, thus, providing the precision afforded by the more expensive push down systems (PDS). Executables are instrumented with operations on auxiliary variables, referred to as proxi variables. These annotated variables allow the resulting context sensitive control flow graphs obtained by statically analyzing the executables to be deterministic at runtime. We prove that the resultant model, called proxi-annotated control flow graph, is as precise as previous approaches which use context sensitive push-down models and in-fact, enhances the runtime efficiency of such models. We show the flexibility of our technique to handle different variations of recursion in a program efficiently. This results in better treatment of monitoring programs where the recursion depth is not pre-determined.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aho, A.V.: Handbook of Theoretical Computer Science, vol. A. Elsevier Science Publishers B.V, Amsterdam (1990)

    Google Scholar 

  2. Anderson, D., Lunt, T., Javitz, H., Tamaru, A., Valdes, A.: Next-generation intrusion detection expert system: A summary. Technical Report SRI-CSL-95-07, SRI International (1995)

    Google Scholar 

  3. Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to model checking. In: CONCURR (1997)

    Google Scholar 

  4. Eckmann, S., Vigna, G., Kemmerer, R.: Statl. Technical report, UCSB, 2000-19

    Google Scholar 

  5. Esparza, J., Hansel, D., Rossmanith, P., Schwoon, S.: Efficient algorithms for model checking pushdown systems. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 232–247. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  6. Esparza, J., Schwoon, S.: A BDD-based model checker for recursive programs. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 324–336. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  7. Bowen, T., et al.: Building survivable systems: An integrated approach based on intrusion detection and confinement. In: Darpa Information Security Symposium (2000)

    Google Scholar 

  8. Feng, H., Griffin, J., Huang, Y., Jha, S., Lee, W., Miller, B.: Formalizing sensitivity in static analysis for intrusion detection. In: IEEE Symposium on Security and Privacey (May 2004)

    Google Scholar 

  9. Forrest, S., Henning, R., Reed, J., Simonian, R.: A neural network approach towards intrussion detection. In: National Computer Security Conference (1990)

    Google Scholar 

  10. Griffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: Usenix Security Symposium (August 2002)

    Google Scholar 

  11. Ilgun, K.: A real-time intrusion detection system for unix. In: IEEE Symposium on Security and Privacy (1993)

    Google Scholar 

  12. Ko, C.: Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach. PhD thesis, University of California, Davis (December 1996)

    Google Scholar 

  13. Pouzol, J., Ducasse, M.: From declarative signature to misuse intrusion detection systems. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 1. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  14. Sekar, R., Uppuluri, P.: Synthesizing fast intrusion prevention/detection systems from high-level specifications. In: USENIX Security Symposium (1999)

    Google Scholar 

  15. Uppuluri, P., Sekar, R.: Experiences with specification-based intrusion detection. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 172. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  16. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: IEEE Symposium on Security and Privacy (May 2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Computer Science, Iowa State University, Ames, IA, 50011-1040, USA

    Samik Basu

  2. Dept. of Computer Science and Electrical Engineering, University of Missouri, Kansas City, MO, 64110, USA

    Prem Uppuluri

Authors
  1. Samik Basu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Prem Uppuluri
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Indian Institute of Technology, Kanpur, India

    R. K. Ghosh

  2. Department of Computer and Information Science, University of Hyderabad, Central University PO, 500 046, AP, India

    Hrushikesha Mohanty

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Basu, S., Uppuluri, P. (2004). Proxi-Annotated Control Flow Graphs: Deterministic Context-Sensitive Monitoring for Intrusion Detection. In: Ghosh, R.K., Mohanty, H. (eds) Distributed Computing and Internet Technology. ICDCIT 2004. Lecture Notes in Computer Science, vol 3347. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30555-2_41

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30555-2_41

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-24075-4

  • Online ISBN: 978-3-540-30555-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation