Abstract
We perform host-based intrusion detection by constructing a model from a program’s binary code and then restricting the program’s execution by the model. We improve the effectiveness of such model-based intrusion detection systems by incorporating into the model knowledge of the environment in which the program runs, and by increasing the accuracy of our models with a new data-flow analysis algorithm for context-sensitive recovery of static data.
The environment—configuration files, command-line parameters, and environment variables—constrains acceptable process execution. Environment dependencies added to a program model update the model to the current environment at every program execution.
Our new static data-flow analysis associates a program’s data flows with specific calling contexts that use the data. We use this analysis to differentiate system-call arguments flowing from distinct call sites in the program.
Using a new average reachability measure suitable for evaluation of call-stack-based program models, we demonstrate that our techniques improve the precision of several test programs’ models from 76% to 100%.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Chinchani, R., Iyer, A., Jayaraman, B., Upadhyaya, S.: ARCHERR: Runtime environment driven program safety. In: 9th European Symposium on Research in Computer Security, Sophia Antipolis, France (September 2004)
Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Computer Aided Verification, Chicago, IL (July 2000)
Debar, H., Dacier, M., Wespi, A.: Towards a taxonomy of intrusion-detection systems. Computer Networks 31, 805–822 (1999)
Esparza, J., Hansel, D., Rossmanith, P., Schwoon, S.: Efficient algorithms for model checking pushdown systems. In: Computer Aided Verification, Chicago, IL (July 2000)
Feng, H.H., Giffin, J.T., Huang, Y., Jha, S., Lee, W., Miller, B.P.: Formalizing sensitivity in static analysis for intrusion detection. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2004)
Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2003)
Fix, L., Schneider, F.B.: Reasoning about programs by exploiting the environment. In: 21st International Colloquium on Automata, Languages, and Programming, Jerusalem, Israel (July 1994)
Gao, D., Reiter, M.K., Song, D.: On gray-box program tracking for anomaly detection. In: 13th USENIX Security Symposium, San Diego, CA (August 2004)
Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: 11th USENIX Security Symposium, San Francisco, CA (August 2002)
Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: 11th Network and Distributed Systems Security Symposium, San Diego, CA (February 2004)
httpd. Solaris manual pages, ch. 8 (February 1997)
Koziol, J., Litchfield, D., Aitel, D., Anley, C., Eren, S., Mehta, N., Hassell, R.: The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. Wiley, Chichester (2003)
Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: 8th European Symposium on Research in Computer Security, Gjøvik, Norway, October 2003, pp. 326–343 (2003)
Lam, L.-C, Chiueh, T.-C: Automatic extraction of accurate application-specific sandboxing policy. In: Recent Advances in Intrusion Detection, Sophia Antipolis, France (September 2004)
Muchnick, S.S.: Advanced Compiler Design and Implementation. Morgan Kaufmann Publishers, San Francisco (1997)
Sekar, R., Venkatakrishnan, V.N., Basu, S., Bhatkar, S., DuVarney, D.C.: Model-carrying code: A practical approach for safe execution of untrusted applications. In: ACM Symposium on Operating System Principles, Bolton Landing, NY (October 2003)
Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Muchnick, S.S., Jones, N.D. (eds.) Program Flow Analysis: Theory and Applications, ch. 7, pp. 189–233. Prentice-Hall, Englewood Cliffs (1981)
Tan, K., McHugh, J., Killourhy, K.: Hiding intrusions: From the abnormal to the normal and beyond. In: 5th International Workshop on Information Hiding, Noordwijkerhout, Netherlands (October 2002)
U.S. Department of Energy Computer Incident Advisory Capability. M-026: OpenSSH uselogin privilege elevation vulnerability (December 2001)
Wagner, D., Dean, D.: Intrusion detection via static analysis. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2001)
Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: 9th ACM Conference on Computer and Communications Security, Washington, DC (November 2002)
Wagner, D.A.: Static Analysis and Computer Security: New Techniques for Software Assurance. PhD dissertation, University of California at Berkeley (Fall 2000)
Yannakakis, M.: Graph-theoretic methods in database theory. In: ACM Symposium on Principles of Database Systems, Nashville, TN (April 1990)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Giffin, J.T., Dagon, D., Jha, S., Lee, W., Miller, B.P. (2006). Environment-Sensitive Intrusion Detection. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_10
Download citation
DOI: https://doi.org/10.1007/11663812_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31778-4
Online ISBN: 978-3-540-31779-1
eBook Packages: Computer ScienceComputer Science (R0)