Skip to main content
SpringerLink
Log in

Accurately Detecting Source Code of Attacks That Increase Privilege

  • Conference paper
  • First Online:
Recent Advances in Intrusion Detection (RAID 2001)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2212))

Included in the following conference series:

Abstract

Host-based Intrusion Detection Systems (IDS) that rely on audit data exhibit a delay between attack execution and attack detection. A knowledgeable attacker can use this delay to disable the IDS, often by executing an attack that increases privilege. To prevent this we have begun to develop a system to detect these attacks before they are executed. The system separates incoming data into several categories, each of which is summarized using feature statistics that are combined to estimate the posterior probability that the data contains attack code. Our work to date has focused on detecting attacks embedded in shell code and C source code. We have evaluated this system by constructing large databases of normal and attack software written by many people, selecting features and training classifiers, then testing the system on a disjoint corpus of normal and attack code. Results show that such attack code can be detected accurately.

This work was sponsored by the Department of the Air Force under Air Force contract F19628-00-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Air Force.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Cunningham, R., Rieser, A.: Detecting Source Code of Attacks that Increase Privilege. presented at RAID 2000, Toulouse, France, Oct 1-4 (2000)

    Google Scholar 

  2. Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. presented at IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, California (1992)

    Google Scholar 

  3. Lippmann, R., Cunningham, R.: Improving Intrusion Detection Performance using Keyword Selection and Neural Networks. Computer Networks 34 (2000) 597–603

    Article  Google Scholar 

  4. Northcutt, S.: Network Intrusion Detection: An Analyst’s Handbook. New Riders (2001)

    Google Scholar 

  5. Wells, J.: Stalking the PC Virus Hot Zones. presented at Virus Bulletin Conference (1996)

    Google Scholar 

  6. Gryaznov, D.: Scanners of the Year 2000: Heuristics. presented at Virus Bulletin Conference (1995)

    Google Scholar 

  7. Arnold, W., Tesauro, G.: Automatically Generated Win32 Heuristic Virus Detection. presented at Virus Bulletin Conference (2000)

    Google Scholar 

  8. Vigna, G., Eckmann, S., Kemmerer, R.: The STAT Tool Suite. Proceedings of DISCEX 2000, IEEE Press (2000)

    Google Scholar 

  9. Lippmann, R., Cunningham R., Fried, D., Garfinkel, S., Gorton, A., Graf, I., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Zissman, M.: The 1998 DARPA/AFRL Off-Line Intrusion Detection Evaluation. presented at First International Workshop on Recent Advances in Intrusion Detection, Louvain-la-Neuve, Belgium (1998)

    Google Scholar 

  10. Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: Analysis and Results of the 1999 DARPA Off-line Intrusion Detection Evaluation. LNCS 1907 (2000) 162–182

    Google Scholar 

  11. Stange, S.: Virus Collection Management. presented at Virus Bulletin Conference (2000)

    Google Scholar 

  12. Blinn, B.: Portable Shell Programming: An Extensive Collection of Bourne Shell Examples. Prentice Hall (1995)

    Google Scholar 

  13. Newham, C., Rosenblatt, B.: Learning the Bash Shell. O’Reilly & Associates (1998)

    Google Scholar 

  14. Rosenblatt, B., Loukides, M.: Learning the Korn Shell. O’Reilly & Associates (1993)

    Google Scholar 

  15. http://www.anticode.com/. several dates prior to 15 October (2000)

  16. Steele, G.: Common Lisp: The Language. Digital Press (1990)

    Google Scholar 

  17. http://www.gutenberg.net/. all texts published in (1990)

  18. Fukunaga, K.: Introduction to Statistical Pattern Recognition. Academic Press (1990)

    Google Scholar 

  19. Kukolich, L., Lippmann, R.: LNKnet User’s Guide. MIT Lincoln Laboratory http://www.ll.mit.edu/IST/lnknet/ (2000)

  20. Lippmann, R., Kukolich, L., Singer, E.: LNKnet: Neural Network, Machine Learning, and Statistical Software for Pattern Classification. Lincoln Laboratory Journal 6 (1993) 249–268

    Google Scholar 

  21. Swets, J.: The Relative Operating Characteristic in Psychology. Science 182 (1973) 990–1000

    Google Scholar 

  22. Martin, A., Doddington, G., Kamm, T., Ordowski, M., Przybocki, M.: The DET Curve Assessment of Detection Task Performance. ESCA Eurospeech97, Rhodes Greece (1997) 1895–1898

    Google Scholar 

  23. McMichael, D.: BARTIN: minimizing Bayes risk and incorporating priors using supervised learning networks. IEE Proceedings-F 139 (1992) 413–419

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. MIT Lincoln Laboratory, 244 Wood Street, Lexington, MA, 02420-9185, USA

    Robert K. Cunningham & Craig S. Stevenson

Authors
  1. Robert K. Cunningham
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Craig S. Stevenson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Georgia Institute of Technology, College of Computing, 801 Atlantic Drive, Atlanta, Georgia, 30332-0280, USA

    Wenke Lee

  2. SUPELEC, BP 28, 35511, Cesson Sevigne Cedex, France

    Ludovic Mé

  3. IBM Research, Zurich Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Andreas Wespi

Rights and permissions

Reprints and permissions

Copyright information

© 2001 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Cunningham, R.K., Stevenson, C.S. (2001). Accurately Detecting Source Code of Attacks That Increase Privilege. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science, vol 2212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45474-8_7

Download citation

  • DOI: https://doi.org/10.1007/3-540-45474-8_7

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-42702-5

  • Online ISBN: 978-3-540-45474-8

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation