Abstract
Model or specification based intrusion detection systems have been effective in detecting known and unknown host based attacks with few false alarms [12, 15]. In this approach, a model of program behavior is developed either manually, by using a high level specification language, or automatically, by static or dynamic analysis of the program. The actual program execution is then monitored using the modeled behavior; deviations from the modeled behavior are flagged as attacks. In this paper we discuss a novel model generated using static analysis of executables (binary code). Our key contribution is a model which is precise and runtime efficient. Specifically, we extend the efficient control flow graph (CFG) based program behavioral model, with context sensitive information, thus, providing the precision afforded by the more expensive push down systems (PDS). Executables are instrumented with operations on auxiliary variables, referred to as proxi variables. These annotated variables allow the resulting context sensitive control flow graphs obtained by statically analyzing the executables to be deterministic at runtime. We prove that the resultant model, called proxi-annotated control flow graph, is as precise as previous approaches which use context sensitive push-down models and in-fact, enhances the runtime efficiency of such models. We show the flexibility of our technique to handle different variations of recursion in a program efficiently. This results in better treatment of monitoring programs where the recursion depth is not pre-determined.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aho, A.V.: Handbook of Theoretical Computer Science, vol. A. Elsevier Science Publishers B.V, Amsterdam (1990)
Anderson, D., Lunt, T., Javitz, H., Tamaru, A., Valdes, A.: Next-generation intrusion detection expert system: A summary. Technical Report SRI-CSL-95-07, SRI International (1995)
Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to model checking. In: CONCURR (1997)
Eckmann, S., Vigna, G., Kemmerer, R.: Statl. Technical report, UCSB, 2000-19
Esparza, J., Hansel, D., Rossmanith, P., Schwoon, S.: Efficient algorithms for model checking pushdown systems. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 232–247. Springer, Heidelberg (2000)
Esparza, J., Schwoon, S.: A BDD-based model checker for recursive programs. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 324–336. Springer, Heidelberg (2001)
Bowen, T., et al.: Building survivable systems: An integrated approach based on intrusion detection and confinement. In: Darpa Information Security Symposium (2000)
Feng, H., Griffin, J., Huang, Y., Jha, S., Lee, W., Miller, B.: Formalizing sensitivity in static analysis for intrusion detection. In: IEEE Symposium on Security and Privacey (May 2004)
Forrest, S., Henning, R., Reed, J., Simonian, R.: A neural network approach towards intrussion detection. In: National Computer Security Conference (1990)
Griffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: Usenix Security Symposium (August 2002)
Ilgun, K.: A real-time intrusion detection system for unix. In: IEEE Symposium on Security and Privacy (1993)
Ko, C.: Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach. PhD thesis, University of California, Davis (December 1996)
Pouzol, J., Ducasse, M.: From declarative signature to misuse intrusion detection systems. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 1. Springer, Heidelberg (2001)
Sekar, R., Uppuluri, P.: Synthesizing fast intrusion prevention/detection systems from high-level specifications. In: USENIX Security Symposium (1999)
Uppuluri, P., Sekar, R.: Experiences with specification-based intrusion detection. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 172. Springer, Heidelberg (2001)
Wagner, D., Dean, D.: Intrusion detection via static analysis. In: IEEE Symposium on Security and Privacy (May 2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Basu, S., Uppuluri, P. (2004). Proxi-Annotated Control Flow Graphs: Deterministic Context-Sensitive Monitoring for Intrusion Detection. In: Ghosh, R.K., Mohanty, H. (eds) Distributed Computing and Internet Technology. ICDCIT 2004. Lecture Notes in Computer Science, vol 3347. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30555-2_41
Download citation
DOI: https://doi.org/10.1007/978-3-540-30555-2_41
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24075-4
Online ISBN: 978-3-540-30555-2
eBook Packages: Computer ScienceComputer Science (R0)