Skip to main content
SpringerLink
Log in

FLIPS: Hybrid Adaptive Intrusion Prevention

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

Abstract

Intrusion detection systems are fundamentally passive and fail–open. Because their primary task is classification, they do nothing to prevent an attack from succeeding. An intrusion prevention system (IPS) adds protection mechanisms that provide fail–safe semantics, automatic response capabilities, and adaptive enforcement. We present FLIPS (Feedback Learning IPS), a hybrid approach to host security that prevents binary code injection attacks. It incorporates three major components: an anomaly-based classifier, a signature-based filtering scheme, and a supervision framework that employs Instruction Set Randomization (ISR). Since ISR prevents code injection attacks and can also precisely identify the injected code, we can tune the classifier and the filter via a learning mechanism based on this feedback. Capturing the injected code allows FLIPS to construct signatures for zero-day exploits. The filter can discard input that is anomalous or matches known malicious input, effectively protecting the application from additional instances of an attack – even zero-day attacks or attacks that are metamorphic in nature. FLIPS does not require a known user base and can be deployed transparently to clients and with minimal impact on servers. We describe a prototype that protects HTTP servers, but FLIPS can be applied to a variety of server and client applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anagnostakis, K., Greenwald, M.B., Ioannidis, S., Keromytis, A.D., Li, D.: A Cooperative Immunization System for an Untrusting Internet. In: Proceedings of the 11th IEEE International Conference on Networks (ICON), October 2003, pp. 403–408 (2003)

    Google Scholar 

  2. Anagnostakis, K.G., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.D.: Detecting Targeted Attacks Using Shadow Honeypots. In: Proceedings of the 14th USENIX Security Symposium (August 2005) (to appear)

    Google Scholar 

  3. Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized Instruction Set Emulation to Distrupt Binary Code Injection Attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS) (October 2003)

    Google Scholar 

  4. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. In: Proceedings of the 12th USENIX Security Symposium, August 2003, pp. 105–120 (2003)

    Google Scholar 

  5. Boyd, S., Keromytis, A.: SQLrand: Preventing SQL Injection Attacks. In: Applied Cryptography and Network Security (ACNS), June 2004, pp. 292–302 (2004)

    Google Scholar 

  6. Candea, G., Fox, A.: Crash-Only Software. In: Proceedings of the 9th Workshop on Hot Topics in Operating Systems (HOTOS-IX) (May 2003)

    Google Scholar 

  7. Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. IEEE Security and Privacy (2002)

    Google Scholar 

  8. Demsky, B., Rinard, M.C.: Automatic Data Structure Repair for Self-Healing Systems. In: Proceedings of the 1st Workshop on Algorithms and Architectures for Self-Managing Systems (June 2003)

    Google Scholar 

  9. Forrest, S., Somayaji, A., Ackley, D.: Building Diverse Computer Systems. In: Proceedings of the 6th Workshop on Hot Topics in Operating Systems, pp. 67–72 (1997)

    Google Scholar 

  10. Handley, M., Paxson, V., Kreibich, C.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proceedings of the USENIX Security Conference (2001)

    Google Scholar 

  11. Ioannidis, S., Keromytis, A.D., Bellovin, S.M., Smith, J.M.: Implementing a Distributed Firewall. In: Proceedings of the 7th ACM International Conference on Computer and Communications Security (CCS), November 2000, pp. 190–199 (2000)

    Google Scholar 

  12. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS) (October 2003)

    Google Scholar 

  13. Kim, H.-A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the USENIX Security Conference (2004)

    Google Scholar 

  14. King, S.T., Mao, Z.M., Lucchetti, D.G., Chen, P.M.: Enriching Intrusion Alerts Through Multi-host Causality. In: Proceedings of the Symposium on Network and Distributed Systems Security, NDSS (2005)

    Google Scholar 

  15. Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure Execution Via Program Shepherding. In: Proceedings of the 11th USENIX Security Symposium (August 2002)

    Google Scholar 

  16. Kolesnikov, A., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. Technical report, Georgia Tech College of Computing (2004)

    Google Scholar 

  17. Krugel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Proceedings of the ACM Symposium on Applied Computing, SAC (2002)

    Google Scholar 

  18. Locasto, M.E., Parekh, J.J., Keromytis, A.D., Stolfo, S.J.: Towards Collaborative Security and P2P Intrusion Detection. In: Proceedings of the IEEE Information Assurance Workshop (IAW), June 2005, pp. 333–339 (2005)

    Google Scholar 

  19. Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Application Communities: Using Monoculture for Dependability. In: Proceedings of the 1st Workshop on Hot Topics in System Dependability (HotDep 2005) (June 2005)

    Google Scholar 

  20. Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: The 12th Annual Network and Distributed System Security Symposium (NDSS) (February 2005)

    Google Scholar 

  21. Overill, R.E.: How Re(Pro)active Should an IDS Be? In: Proceedings of the 1st International Workshop on Recent Advances in Intrusion Detection (RAID) (September 1998)

    Google Scholar 

  22. Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  23. Pincus, J., Baker, B.: Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overflows. IEEE Security & Privacy 2(4), 20–27 (2004)

    Article  Google Scholar 

  24. Rabek, J.C., Khazan, R.I., Lewandowski, S.M., Cunningham, R.K.: Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In: Proceedings of the Workshop on Rapid Malcode, WORM (2003)

    Google Scholar 

  25. Reynolds, J.C., Just, J., Clough, L., Maglich, R.: On-Line Intrusion Detection and Attack Prevention Using Diversity, Genrate-and-Test, and Generalization. In: Proceedings of the 36th Hawaii International Conference on System Sciences, HICSS (2003)

    Google Scholar 

  26. Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T., Beebee, J.W.: Enhancing Server Availability and Security Through Failure-Oblivious Computing. In: Proceedings 6th Symposium on Operating Systems Design and Implementation (OSDI) (December 2004)

    Google Scholar 

  27. Sidiroglou, S., Ioannidis, J., Keromytis, A.D., Stolfo, S.J.: An Email Worm Vaccine Architecture. In: Proceedings of the 1st Information Security Practice and Experience Conference (ISPEC) (April 2005)

    Google Scholar 

  28. Sidiroglou, S., Keromytis, A.D.: A Network Worm Vaccine Architecture. In: Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, June 2003, pp. 220–225 (2003)

    Google Scholar 

  29. Sidiroglou, S., Locasto, M.E., Boyd, S.W., Keromytis, A.D.: Building a Reactive Immune System for Software Services. In: Proceedings of the USENIX Annual Technical Conference, April 2005, pp. 149–161 (2005)

    Google Scholar 

  30. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of Symposium on Operating Systems Design and Implementation, OSDI (2004)

    Google Scholar 

  31. Smirnov, A., Chiueh, T.: DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks. In: The 12th Annual Network and Distributed System Security Symposium (February 2005)

    Google Scholar 

  32. Somayaji, A., Forrest, S.: Automated Response Using System-Call Delays. In: Proceedings of the 9th USENIX Security Symposium (August 2000)

    Google Scholar 

  33. Sommer, R., Paxson, V.: Enhancing Byte-Level Network Intrusion Detection Signatures with Context. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 262–271 (2003)

    Google Scholar 

  34. Stig, A., Clark, A., Mohay, G.: Network-based Buffer Overflow Detection by Exploit Code Analysis. In: AusCERT Conference (May 2004)

    Google Scholar 

  35. Stolfo, S.: Worm and Attack Early Warning: Piercing Stealthy Reconnaissance. IEEE Privacy and Security (May/June 2004)

    Google Scholar 

  36. Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure Program Execution Via Dynamic Information Flow Tracking. SIGOPS Operating Systems Review 38(5), 85–96 (2004)

    Article  Google Scholar 

  37. Toth, T., Kruegel, C.: Accurate Buffer Overflow Detection via Abstract Payload Execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 274. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  38. Wang, K., Stolfo, S.J.: Anomalous Payload-based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, Mailcode 0401, New York, NY, 10027, USA

    Michael E. Locasto, Ke Wang, Angelos D. Keromytis & Salvatore J. Stolfo

Authors
  1. Michael E. Locasto
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ke Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA

    Alfonso Valdes

  2. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Locasto, M.E., Wang, K., Keromytis, A.D., Stolfo, S.J. (2006). FLIPS: Hybrid Adaptive Intrusion Prevention. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_5

Download citation

  • DOI: https://doi.org/10.1007/11663812_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31778-4

  • Online ISBN: 978-3-540-31779-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation