Skip to main content
SpringerLink
Log in

Efficient Intrusion Detection Based on Static Analysis and Stack Walks

  • Conference paper
Advances in Information and Computer Security (IWSEC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5824))

Included in the following conference series:

Abstract

Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStaticā€™s. Thereby, we alleviate the conflict between precision and efficiency.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Forrest, S., Longstaff, T.: A sense of self for unix processes. In: 1996 IEEE Symposium on Security and Privacy, pp. 120ā€“128. IEEE Press, Oakland (1996)

    ChapterĀ  Google ScholarĀ 

  2. Feng, H.H., Giffin, J.T., Huang, Y., Jha, S., Lee, W., Miller, B.P.: Formalizing sensitivity in static analysis for intrusion detection. In: 2004 IEEE Symposium on Security and Privacy, pp. 194ā€“208. IEEE Press, California (2004)

    Google ScholarĀ 

  3. Gopalakrishna, R., Spafford, E.H., Vitek, J.: Efficient Intrusion Detection using Automaton Inlining. In: 2005 IEEE Symposium on Security and Privacy, pp. 18ā€“21. IEEE Press, Washington (2005)

    ChapterĀ  Google ScholarĀ 

  4. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: 2001 IEEE Symposium on Security and Privacy, p. 156. IEEE Press, Oakland (2001)

    Google ScholarĀ 

  5. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: 9th ACM Conference on Computer and Communications Security, pp. 255ā€“264. ACM Press, Washington (2002)

    ChapterĀ  Google ScholarĀ 

  6. Saidi, H.: Guarded Models for Intrusion Detection. In: 2007 Workshop on Programming languages and analysis for security, pp. 85ā€“94. ACM Press, San Diego (2007)

    ChapterĀ  Google ScholarĀ 

  7. Feng, H., Kolesnikov, P.F., Lee, W.: Anomaly detection using call stack information. In: 2003 IEEE Symposium on Security and Privacy, p. 62. IEEE Press, Los Alamitos (2003)

    Google ScholarĀ 

  8. Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: 11th ACM Conference on Computer and Communications Security, pp. 318ā€“329. ACM Press, Washington (2004)

    ChapterĀ  Google ScholarĀ 

  9. Giffin, J.T., Dagon, S., Jha, S., Lee, W., Miller, B.P.: Environment-sensitive intrusion detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.Ā 3858, pp. 185ā€“206. Springer, Heidelberg (2006)

    ChapterĀ  Google ScholarĀ 

  10. Feng, H.: Dynamic monitoring and static analysis: new approaches for intrusion detection. PhD Dissertation, University of Massachusetts Amherst (2005)

    Google ScholarĀ 

  11. Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: 6th Symposium on Operating Systems Design and Implementation, pp. 147ā€“160. USENIX Association, Seattle (2006)

    Google ScholarĀ 

  12. Giffin, J.T., Jha, S., Lee, W., Miller, B.P.: Efficient context-sensitive intrusion detection. In: 11th Annual Network and Distributed Systems Security Symposium. Internet Society, San Diego (2004)

    Google ScholarĀ 

  13. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iver, R.K.: Non-control- data attacks are realistic threats. In: 14th USENIX Security Symposium, pp. 1ā€“12. USENIX Association, Baltimore (2005)

    Google ScholarĀ 

  14. Hopcroft, J., Motwani, R., Ullman, J.: Introduction to Automata Theory, Languages, and Computation. Addison Wesley, New Jersey (2001)

    MATHĀ  Google ScholarĀ 

Download references

Author information

Authors and Affiliations

  1. School of Software, Dalian University of Technology, Dalian, 116620, China

    Jingyu Hua,Ā Mingchu LiĀ &Ā Yizhi Ren

  2. Dept.of Computer Science and Communication Engineering, kyushu University, Fukuoka, 812-0053, Japan

    Kouichi SakuraiĀ &Ā Yizhi Ren

Authors
  1. Jingyu Hua
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  2. Mingchu Li
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  3. Kouichi Sakurai
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  4. Yizhi Ren
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

Editor information

Editors and Affiliations

  1. Systems Information Science, Future University-Hakodate, 116-2 Kamedanakano-cho, Hakodate Hokkaido, Japan

    Tsuyoshi Takagi

  2. Graduate School of Systems and Information Engineering, University of Tsukuba, 305-8573, Tsukuba, Japan

    Masahiro Mambo

Rights and permissions

Reprints and permissions

Copyright information

Ā© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hua, J., Li, M., Sakurai, K., Ren, Y. (2009). Efficient Intrusion Detection Based on Static Analysis and Stack Walks. In: Takagi, T., Mambo, M. (eds) Advances in Information and Computer Security. IWSEC 2009. Lecture Notes in Computer Science, vol 5824. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04846-3_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04846-3_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04845-6

  • Online ISBN: 978-3-642-04846-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation