Abstract
Intrusion detection systems are fundamentally passive and fail–open. Because their primary task is classification, they do nothing to prevent an attack from succeeding. An intrusion prevention system (IPS) adds protection mechanisms that provide fail–safe semantics, automatic response capabilities, and adaptive enforcement. We present FLIPS (Feedback Learning IPS), a hybrid approach to host security that prevents binary code injection attacks. It incorporates three major components: an anomaly-based classifier, a signature-based filtering scheme, and a supervision framework that employs Instruction Set Randomization (ISR). Since ISR prevents code injection attacks and can also precisely identify the injected code, we can tune the classifier and the filter via a learning mechanism based on this feedback. Capturing the injected code allows FLIPS to construct signatures for zero-day exploits. The filter can discard input that is anomalous or matches known malicious input, effectively protecting the application from additional instances of an attack – even zero-day attacks or attacks that are metamorphic in nature. FLIPS does not require a known user base and can be deployed transparently to clients and with minimal impact on servers. We describe a prototype that protects HTTP servers, but FLIPS can be applied to a variety of server and client applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anagnostakis, K., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A Cooperative Immunization System for an Untrusting Internet. In: Proceedings of the 11th IEEE International Conference on Networks (ICON), October 2003, pp. 403–408 (2003)
Anagnostakis, K.G., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.D.: Detecting Targeted Attacks Using Shadow Honeypots. In: Proceedings of the 14th USENIX Security Symposium (August 2005) (to appear)
Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized Instruction Set Emulation to Distrupt Binary Code Injection Attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS) (October 2003)
Bhatkar, S., DuVarney, D.C., Sekar, R.: Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. In: Proceedings of the 12th USENIX Security Symposium, August 2003, pp. 105–120 (2003)
Boyd, S., Keromytis, A.: SQLrand: Preventing SQL Injection Attacks. In: Applied Cryptography and Network Security (ACNS), June 2004, pp. 292–302 (2004)
Candea, G., Fox, A.: Crash-Only Software. In: Proceedings of the 9th Workshop on Hot Topics in Operating Systems (HOTOS-IX) (May 2003)
Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. IEEE Security and Privacy (2002)
Demsky, B., Rinard, M.C.: Automatic Data Structure Repair for Self-Healing Systems. In: Proceedings of the 1st Workshop on Algorithms and Architectures for Self-Managing Systems (June 2003)
Forrest, S., Somayaji, A., Ackley, D.: Building Diverse Computer Systems. In: Proceedings of the 6th Workshop on Hot Topics in Operating Systems, pp. 67–72 (1997)
Handley, M., Paxson, V., Kreibich, C.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proceedings of the USENIX Security Conference (2001)
Ioannidis, S., Keromytis, A.D., Bellovin, S.M., Smith, J.M.: Implementing a Distributed Firewall. In: Proceedings of the 7th ACM International Conference on Computer and Communications Security (CCS), November 2000, pp. 190–199 (2000)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS) (October 2003)
Kim, H.-A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the USENIX Security Conference (2004)
King, S.T., Mao, Z.M., Lucchetti, D.G., Chen, P.M.: Enriching Intrusion Alerts Through Multi-host Causality. In: Proceedings of the Symposium on Network and Distributed Systems Security, NDSS (2005)
Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure Execution Via Program Shepherding. In: Proceedings of the 11th USENIX Security Symposium (August 2002)
Kolesnikov, A., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. Technical report, Georgia Tech College of Computing (2004)
Krugel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Proceedings of the ACM Symposium on Applied Computing, SAC (2002)
Locasto, M.E., Parekh, J.J., Keromytis, A.D., Stolfo, S.J.: Towards Collaborative Security and P2P Intrusion Detection. In: Proceedings of the IEEE Information Assurance Workshop (IAW), June 2005, pp. 333–339 (2005)
Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Application Communities: Using Monoculture for Dependability. In: Proceedings of the 1st Workshop on Hot Topics in System Dependability (HotDep 2005) (June 2005)
Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: The 12th Annual Network and Distributed System Security Symposium (NDSS) (February 2005)
Overill, R.E.: How Re(Pro)active Should an IDS Be? In: Proceedings of the 1st International Workshop on Recent Advances in Intrusion Detection (RAID) (September 1998)
Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)
Pincus, J., Baker, B.: Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overflows. IEEE Security & Privacy 2(4), 20–27 (2004)
Rabek, J.C., Khazan, R.I., Lewandowski, S.M., Cunningham, R.K.: Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In: Proceedings of the Workshop on Rapid Malcode, WORM (2003)
Reynolds, J.C., Just, J., Clough, L., Maglich, R.: On-Line Intrusion Detection and Attack Prevention Using Diversity, Genrate-and-Test, and Generalization. In: Proceedings of the 36th Hawaii International Conference on System Sciences, HICSS (2003)
Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T., Beebee, J.W.: Enhancing Server Availability and Security Through Failure-Oblivious Computing. In: Proceedings 6th Symposium on Operating Systems Design and Implementation (OSDI) (December 2004)
Sidiroglou, S., Ioannidis, J., Keromytis, A.D., Stolfo, S.J.: An Email Worm Vaccine Architecture. In: Proceedings of the 1st Information Security Practice and Experience Conference (ISPEC) (April 2005)
Sidiroglou, S., Keromytis, A.D.: A Network Worm Vaccine Architecture. In: Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, June 2003, pp. 220–225 (2003)
Sidiroglou, S., Locasto, M.E., Boyd, S.W., Keromytis, A.D.: Building a Reactive Immune System for Software Services. In: Proceedings of the USENIX Annual Technical Conference, April 2005, pp. 149–161 (2005)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of Symposium on Operating Systems Design and Implementation, OSDI (2004)
Smirnov, A., Chiueh, T.: DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks. In: The 12th Annual Network and Distributed System Security Symposium (February 2005)
Somayaji, A., Forrest, S.: Automated Response Using System-Call Delays. In: Proceedings of the 9th USENIX Security Symposium (August 2000)
Sommer, R., Paxson, V.: Enhancing Byte-Level Network Intrusion Detection Signatures with Context. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 262–271 (2003)
Stig, A., Clark, A., Mohay, G.: Network-based Buffer Overflow Detection by Exploit Code Analysis. In: AusCERT Conference (May 2004)
Stolfo, S.: Worm and Attack Early Warning: Piercing Stealthy Reconnaissance. IEEE Privacy and Security (May/June 2004)
Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure Program Execution Via Dynamic Information Flow Tracking. SIGOPS Operating Systems Review 38(5), 85–96 (2004)
Toth, T., Kruegel, C.: Accurate Buffer Overflow Detection via Abstract Payload Execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 274. Springer, Heidelberg (2002)
Wang, K., Stolfo, S.J.: Anomalous Payload-based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Locasto, M.E., Wang, K., Keromytis, A.D., Stolfo, S.J. (2006). FLIPS: Hybrid Adaptive Intrusion Prevention. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_5
Download citation
DOI: https://doi.org/10.1007/11663812_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31778-4
Online ISBN: 978-3-540-31779-1
eBook Packages: Computer ScienceComputer Science (R0)