Application-based anomaly intrusion detection with dynamic information flow analysis☆
Introduction
Information flow control, which deals with restricting the flow of information between objects manipulated by a program, is a classical subject of computer security research (Fenton, 1974, Denning and Denning, 1977). Information flow control is necessary because controlling access to individual objects is not sufficient to prevent indirect propagation of information resulting in either leakage of information from sensitive objects to untrusted recipients or tampering with sensitive objects by untrusted agents. For example, a program that legitimately accesses confidential information associated with one user may, under certain conditions, disclose it to another user who is not authorized to access it.
Despite its long history, research on information flow control has until recently had relatively little impact on the field of intrusion detection (Denning, 1987), which aims at detecting and responding to intrusions/attacks against systems and applications. This is surprising because the purpose of certain sophisticated attacks against software is precisely to induce insecure information flows to or from sensitive objects, and such flows may be the only indication of such attacks.
Intrusion detection systems are of two principal types (Axelsson, March 2000): signature matching (or misuse detection) systems and anomaly detection systems. Signature matching systems look for intrusion signatures, which are characteristic indications of known attacks. Anomaly detection systems look for system/application behavior that is anomalous in the sense that it differs markedly from normal, safe behavior. Signature matching systems tend to issue fewer “false positive” alerts than anomaly detection systems, but the former cannot detect novel attacks, while the latter can. In practice, both kinds of systems suffer from problems of inaccuracy and imprecision.
Recently, Zimmermann et al., October 2003, Zimmermann et al., November 2003 proposed an intrusion detection model based on runtime enforcement of an information flow policy, which specifies the information flows that are permissible in a given system. They argued that their model detects confidentiality and integrity violations more reliably than either signature matching systems or anomaly detection systems do, because it focuses on policy violations rather than on ancillary events. Although enforcement of information flow policies is very desirable, it is not a complete solution to the problem of revealing security vulnerabilities in software. First, denial-of-service attacks need not cause confidentiality or integrity violations. Second, information flow policies may suffer from the same types of problems that affect other software specifications, such as incorrectness and incompleteness.
In this paper, we present evidence that dynamic information flow analysis (DIFA) has important applications to vulnerability detection besides the enforcement of information flow policies (which we addressed in Masri et al. (2004)). These applications are based on the fact that patterns of information flow that occur during execution of a program characterize its computation to a high degree. Information flows are fundamental aspects of program execution, because they indicate the direct and indirect interactions between program elements (e.g., variables, instructions, and procedures) and the associated dependences between those elements. Such interactions may span much program code and many program components. Information flows, which we assume are transitive in general,1 also define the essential constraints on the order in which operations are executed, that is, those that determine a program's input/output behavior.2
We investigate the hypothesis that novel attacks often cause anomalous patterns of information flow, which sometimes are the only indication of a security failure. (Note that where an information flow policy exists, an anomalous information flow pattern associated with a security failure need not violate the policy, because the policy may be incomplete or the failure may not involve any illegal flows.) We show that these patterns can be detected by applying anomaly detection techniques to information flow profiles, that is, to execution profiles that characterize a program's dynamic information flows. This suggests that it is feasible to enhance anomaly intrusion detection systems with the capability to detect anomalous information flows associated with attacks. Note, however, that we do not claim that information flows alone are sufficient to characterize the full range of attacks that an IDS must confront.
Zimmermann et al., October 2003, Zimmermann et al., November 2003 policy-based model deals with information flows between entire objects. They assert that a finer-grained online analysis, which would involve analyzing: (1) data flows involving object fields and local variables and (2) control dependences, is unrealistic on a large-scale OS running third-party software (Zimmermann et al., October 2003). Our own prior work suggests that the higher overhead of fine-grained DIFA precludes its online application with processing-intensive applications (Masri, 2004). For use in corrective software maintenance, however, fine-grained DIFA is preferable to coarse-grained DIFA, because the former is more precise and because the analysis can be done offline with the aid of execution capture/replay (Steven et al., 2000, Orso and Kennedy, 2005). In contrast to most work on intrusion detection, including Zimmerman et al.'s, we emphasize offline identification and repair of security vulnerabilities in software rather than online detection and response to attacks. Our approach, which we call information flow anomaly detection (IFAD) calls for executions to be captured online and then replayed, profiled, analyzed, and audited (if suspicious) offline. This makes it feasible to employ fine-grained DIFA and to involve software developers in the analysis and decision-making processes.
In Section 2, we survey work related to dynamic information flow analysis. In Section 3, we discuss the assumptions behind our information flow anomaly detection approach. Section 4 describes our fine-grained DIFA tool DynFlow. Section 5 provides a detailed description of our approach. In Section 6, we illustrate the potential of our approach by applying it in several case studies involving security vulnerabilities in open source software; we also compare the effectiveness of our approach to another one based on analyzing method calls stacks. Section 7 presents our conclusions and future work.
The main contributions of this work are:
- •
A new semi-automated offline approach to detecting software security failures that combines fine-grained DIFA with anomaly detection techniques to facilitate the identification and repair of security vulnerabilities.
- •
A prototype implementation of the approach.
- •
Case studies in which the approach was employed to detect security failures of open source software and was compared to a form of anomaly detection based on analysis of method call stacks and to random sampling.
Section snippets
Related work
Dynamic information flow analysis was first proposed by Fenton (1974), who described an abstract machine called the Data Mark Machine to support the dynamic checking of information flows. DIFA has received substantially less attention in the research literature than static information flow analysis, which was first described by Denning and Denning (1977). Recently, however, several papers in addition to Zimmermann et al., October 2003, Zimmermann et al., November 2003 (see Section 1) have
Assumptions
To limit the scope of our investigation, we focus on attacks against applications that do not compromise the underlying computing platform or violate the semantics of the implementation language. This class of attacks is becoming increasingly relevant as more applications are implemented using languages such as Java and C# that are based on relatively secure virtual machines. Thus, we do not attempt to address buffer-overflow attacks or other attacks that exploit vulnerabilities in an operating
The DynFlow Tool
In Masri et al. (2004) we presented a new approach to DIFA that can be used to detect, prevent, or debug insecure flows in programs, and we described a prototype tool implementing the approach for Java byte code programs. We used an updated version of this tool, which is called DynFlow, in the case studies described in Section 6, to implement fine-grained DIFA in support of information flow anomaly detection. The basic functions of DynFlow are: detecting violations of information flow policies;
Information flow anomaly detection
Anomaly detection techniques (Liepins and Vaccaro, 1989), which are intended to enable the detection of novel attacks, are based on the assumption that attacks often induce unusual execution behavior that can be distinguished from normal behavior. Most research on host-based and application-based anomaly detection techniques involves the analysis of system call sequences. Forrest et al., 1996, Hofmeyr et al., 1998 presented a form of anomaly detection that involves: (1) characterizing normal
Empirical results
To assess the relative effectiveness of information flow anomaly detection for revealing vulnerabilities, we compared IFP-OPC, IFP-FP, MCS-OPC, MCS-FP, and simple random sampling (SRS) with respect to how many distinct vulnerabilities each technique revealed in each of four subject programs, for given numbers of executions selected for auditing. Technique A is considered more effective than technique B if A generally reveals more vulnerabilities than B without requiring more executions to be
Conclusions and future work
A new offline approach to detecting software security failures was presented that employs fine-grained dynamic information flow analysis (DIFA) to reveal unusual patterns of information flow (information flow anomalies) that may be associated with them. The emphasis of the approach is identification of security vulnerabilities in software rather than online response to attacks. Executions are captured online and are replayed, profiled, and analyzed offline so that suspicious executions can be
Andy Podgurski received his MS and PhD degrees in Computer Science from the University of Massachusetts at Amherst in 1989. He is currently an Associate Professor in the Electrical Engineering & Computer Science Department at Case Western Reserve University, where he has been a faculty member since 1989. His research interest is software engineering methodology, especially the application of static and dynamic program analysis in combination with data mining, statistical, and machine learning
References (38)
Intrusion detection systems: a survey and taxonomy. Technical report 99-15
(March 2000)The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information Systems and Security
(August 2000)- et al.
Improving attack detection in host-based IDS by learning properties of system call arguments. Technical report SECLAB-05-03
(July 2005) - et al.
Certification of programs for secure information flow
Communication of the ACM
(1977) An intrusion detection model
IEEE Transactions on Software Engineering
(February, 1987)- Dickinson W, Leon D, Podgurski A. Finding failures by cluster analysis of execution profiles. In: Twenty-third...
- et al.
Pursuing failure: the distribution of program failures in a profile space
- et al.
Anomaly detection using call stack information
IEEE Symposium on Security and Privacy (Oakland, CA)
(May 2003) Memoryless subsystems
The Computer Journal
(1974)- et al.
A sense of self for UNIX processes
IEEE Symposium on Security and Privacy (Los Alamitos, CA)
(1996)
Practical, dynamic information-flow for virtual machines. Technical report no. 05-02
Intrusion detection using sequences of system calls
Journal of Computer Security
Algorithms for clustering data
Cited by (30)
Generating profile-based signatures for online intrusion and failure detection
2014, Information and Software TechnologyCitation Excerpt :Next we describe work related to our approach that we categorize and list in order of relevance as follows: profile-based techniques, pattern matching techniques, taint-based techniques, and finally anomaly-based techniques; noting that some listed work fall under more than one category. In previous work, the main author presented an approach to detecting security attacks, whose primary goal is facilitating identification and repair of security vulnerabilities rather than permitting online response to attacks [41]. The approach is based on online capture of execution inputs and offline replay, profiling, and analysis.
An algorithm for capturing variables dependences in test suites
2011, Journal of Systems and SoftwareCitation Excerpt :Program dependences are leveraged by several areas of software engineering including software testing, debugging, fault localization, and security (Harman and Danicic, 1995; Masri et al., 2007; Masri and Podgurski, 2009a, 2008; Masri, 2010; Masri and El-Ghali, 2009; El-Ghali and Masri, 2009).
ViaLin: Path-Aware Dynamic Taint Analysis for Android
2023, ESEC/FSE 2023 - Proceedings of the 31st ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software EngineeringSecurity Aspect in Software Testing Perspective: A Systematic Literature Review
2023, Journal of Information Systems Engineering and Business IntelligenceNodeMedic: End-to-End Analysis of Node.js Vulnerabilities with Provenance Graphs
2023, Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
Andy Podgurski received his MS and PhD degrees in Computer Science from the University of Massachusetts at Amherst in 1989. He is currently an Associate Professor in the Electrical Engineering & Computer Science Department at Case Western Reserve University, where he has been a faculty member since 1989. His research interest is software engineering methodology, especially the application of static and dynamic program analysis in combination with data mining, statistical, and machine learning techniques to enhance software reliability and security and to facilitate software maintenance. He is currently Associate Editor of the journal Software Testing, Verification, and Reliability, and he is a member of the IEEE Computer Society and the ACM.
Wes Masri received the BS degree in electrical engineering from Case Western Reserve University, the MS degree in electrical and computer engineering from the Pennsylvania State University, and the PhD degree in computer engineering from Case Western Reserve University. He is currently an assistant professor in the Department of Computer Science at the American University of Beirut, prior to that he spent fifteen years in the software industry primarily as a developer. His research interests include software engineering and dynamic program analysis with an emphasis on software testing and security. He is a member of the IEEE Computer Society.
- ☆
In this research, Dr. Masri was supported in part by LNCSR grant 022136.