FloGuard: Cost-Aware Systemwide Intrusion Defense via Online Forensics and On-Demand IDS Deployment

  • Saman Aliari Zonouz
  • Kaustubh R. Joshi
  • William H. Sanders
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6894)


Detecting intrusions early enough can be a challenging and expensive endeavor. While intrusion detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of vulnerability exploitations that might actually exist for a given system is not cost-effective. In this paper, we present FloGuard, an on-line intrusion forensics and on-demand detector selection framework that provides systems with the ability to deploy the right detectors dynamically in a cost-effective manner when the system is threatened by an exploit. FloGuard relies on often easy-to-detect symptoms of attacks, e.g., participation in a botnet, and works backwards by iteratively deploying off-the-shelf detectors closer to the initial attack vector. The experiments using the EggDrop bot and systems with real vulnerabilities show that FloGuard can efficiently localize the attack origins even for unknown vulnerabilities, and can judiciously choose appropriate detectors to prevent them from being exploited in the future.


Dependency Graph Intrusion Detection System Reachability Analysis Attack Scenario Forensic Analysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    HTTPTrafficGen (2008),
  2. 2.
    John the Ripper (2008),
  3. 3.
    RoomPHPlanning (2008),
  4. 4.
  5. 5.
    Zabbix (2010),
  6. 6.
    Anagnostakis, K., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.: Detecting targeted attacks using shadow honeypots. In: USENIX-Security, p. 9 (2005)Google Scholar
  7. 7.
    Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: USENIX-ATC, pp. 251–262 (2000)Google Scholar
  8. 8.
    Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX-ATC, p. 41 (2005)Google Scholar
  9. 9.
    Carrier, B.: File System Forensic Analysis. Addison-Wesley Prof., Reading (2005)Google Scholar
  10. 10.
    Costa, M., Castro, M., Zhou, L., Zhang, L., Peinado, M.: Bouncer: Securing software by blocking bad input. In: SOSP, pp. 117–130 (2007)Google Scholar
  11. 11.
    Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: SOSP, pp. 133–147 (2005)Google Scholar
  12. 12.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Gao, Q., Zhang, W., Tang, Y., Qin, F.: First-aid: Surviving and preventing memory management bugs during production runs. In: EuroSys, pp. 159–172 (2009)Google Scholar
  14. 14.
    Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The taser intrusion recovery system. In: SOSP, pp. 163–176 (2005)Google Scholar
  15. 15.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: USENIX-Security, pp. 1–16 (2007)Google Scholar
  16. 16.
    King, S.T., Chen, P.M.: Backtracking intrusions. In: SOSP, vol. 37(5), pp. 223–236 (2003)Google Scholar
  17. 17.
    Kojm, T.: ClamAV (2009),
  18. 18.
    Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: Efficient support for forensic analysis. In: CCS, pp. 50–60. ACM, New York (2010)Google Scholar
  19. 19.
    Lamport, L.: Time, clocks, and the ordering of events in a distributed system. ACM-Comm. 21(7), 558–565 (1978)CrossRefzbMATHGoogle Scholar
  20. 20.
    Li, C., Jiang, W., Zou, X.: Botnet: Survey and case study. In: ICICIC, pp. 1184–1187 (2009)Google Scholar
  21. 21.
    Locasto, M., Wang, K., Keromytis, A.D., Stolfo, S.J.: FLIPS: Hybrid adaptive intrusion prevention. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 82–101. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Mukkamala, S., Sung, A.H.: Identifying significant features for network forensic analysis using artificial intelligent techniques. IJDE, 1 (2003)Google Scholar
  23. 23.
    Nagaraja, S., Mittal, P., Yao Hong, C., Caesar, M., Borisov, N.: BotGrep: Finding P2P bots with structured graph analysisGoogle Scholar
  24. 24.
    Nethercote, N., Seward, J.: Valgrind: A program supervision framework. In: Runtime-Verification WS (2003)Google Scholar
  25. 25.
    Porras, P., Neumann, P.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: Proc. of the Info. Systems Security Conf., pp. 353–365 (1997)Google Scholar
  26. 26.
    Qin, F., Tucek, J., Sundaresan, J., Zhou, Y.: Rx: Treating bugs as allergies: A safe method to survive software failures. In: SOSP, pp. 235–248 (2005)Google Scholar
  27. 27.
    Roesch, M.: Snort: Lightweight intrusion detection for networks. In: USENIX-LISA, pp. 229–238 (1999)Google Scholar
  28. 28.
    Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: NDSS, pp. 159–169 (2004)Google Scholar
  29. 29.
    Schneier, B.: Attack trees. Dr. Dobb’s Journal (1999)Google Scholar
  30. 30.
    Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  31. 31.
    Tucek, J., Newsome, J., Lu, S., Huang, C., Xanthos, S., Brumley, D., Zhou, Y., Song, D.: Sweeper: A lightweight end-to-end system for defending against fast worms. EuroSys 41(3), 115–128 (2007)CrossRefGoogle Scholar
  32. 32.
    Wotring, B., Potter, B., Ranum, M., Wichmann, R.: Host Integrity Monitoring Using Osiris and Samhain. Syngress Publishing (2005)Google Scholar
  33. 33.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: CCS, pp. 116–127 (2007)Google Scholar
  34. 34.
    Zonouz, S.A., Joshi, K.R., Sanders, W.H.: Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment. In: CCS-SafeConfig, pp. 71–74 (2010)Google Scholar
  35. 35.
    Zonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.: RRE: A game-theoretic intrusion Response and Recovery Engine. In: DSN, pp. 439–448 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Saman Aliari Zonouz
    • 1
  • Kaustubh R. Joshi
    • 2
  • William H. Sanders
    • 1
  1. 1.University of IllinoisUSA
  2. 2.AT&T Labs ResearchUSA

Personalised recommendations