Abstract
This paper presents a new approach to run-time security monitoring that can detect system abnormalities including attacks, faults, or operational errors. The approach, System Health and Intrusion Monitoring (SHIM), employs a hierarchy of constraints to describe correct operation of a system at various levels of abstraction. The constraints capture static behavior, dynamic behavior, and time-critical behavior of a system. A system in execution will be monitored for violation of the constraints, which may indicate potential security problems in the system. SHIM is based on specification-based intrusion detection, but it attempts to provide a systematic framework for developing the specifications/constraints. SHIM does not detect directly the intrusive actions in an attack, but their manifestations as violations of constraints. In this paper, we describe the constraint model and the methodology for developing the constraints. In addition, we present preliminary results on the constraints developed for host programs and network protocols. By bounding the behavior of various system components at different levels of abstraction, SHIM has a high chance of detecting different types of attacks and their variants.
This research is supported by Defense Advanced Research Project Agency (DARPA) under contract F30602-00-C-0210.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
K. Ilgun, R. Kemmerer, and P. Porras, “State Transition Analysis: A Rulebased Intrusion Detection Approach”, IEEE Transactions of Software Engineering, 2(13):181–199, March 1995.
U. Lindqvist and P. Porras, “Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST)”, In Proceedings of the 1999 Symposium on Security and Privacy, May 1999.
H. Javitz and A. Valdes, “The NIDES Statistical Component Description and Justification,” Technical Report, Computer Science Laboratory, SRI International, Menlo Park, CA, Mar 1994.
R. Lippmann et. al., “Evaluating Intrusion Detection Systems: The 1998 DARPA Off-Line Intrusion Detection Evaluation,” DISCEX 2000-DARPA Information Survivability Conference and Exposition, Hilton Head, SC, 2000.
C. Ko, G. Fink and K. Levitt, “Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring”, In Proceedings of the 10th Computer Security Application Conference, Orlando, Dec 1994.
C. Ko, M. Ruschitzka and K. Levitt, “Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-based Approach,” In Proceedings of the 1997 Symposium on Security and Privacy, May 1997.
R. Sekar, T. Bowen, and M. Segal, “On Preventing Intrusions by Process Behavior Monitoring,” Workshop on Intrusion Detection and Network Monitoring Proceedings, Berkeley, CA, USENIX, pages 29–40.
CERT Advisory CA-1999013 Multiple Vulnerabilities in WU-FTPD, CERT CC, available at http://www.cert.org/advisories/CA-1999-13.html, Nov 1999.
M. Roesch, “Snort-Lig htweight Intrusion Detection for Networks,” USENIX LISA’ 99 conference, Nov 1999. Also available at http://www.snort.org.
L. Miras, “Advanced Evasion of IDS buffer overflow detection”, power point presentation in http://www.newhackcity.net/~jeru
T. Fraser, L. Badger, M. Feldman, “Hardening COTS Software Using Generic Software Wrappers”, IEEE Symposium on Security and Privacy, May 1999.
D. Clark and D. Wilson, “A Comparison of Commercial and Military Computer Security Policies,” In Proceedings of the 1987 IEEE Symposium on Security and Privacy, May 1987.
K.J. Biba, “Integrity Considerations for Secure Computer Systems,” Technical Report ESD-TR-76-372, USAF Electronic Systems Division, Bedford, MA, 1977.
W. Boebert and R. Kain, “A Practical Alternative to Hierarchical Integrity Policies,” Proceedings of the 8th National Computer Security Conference, Gaithersburg, MD, 1985.
J. Saltzer and M. Schroeder, “The Protection of Information in Computer Systems,” In Proceedings of the IEEE, Vol. 63, No. 9, pages 1278–1308, March 1975.
C. Landwehr et. al., “A Taxonomy of Computer Program Security Flaws,” ACM Computing Surveys, Vol.26, No. 3, September 1994.
I. Krsul, “Software Vulnerability Analysis,” Department of Computer Science, Purdue University, Ph.D. Thesis, Coast TR-98-09, 1998.
M. Bishop, “Writing Safe Privileged Programs,” Network Security 1997, New Orleans, LA, 1997.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ko, C., Brutch, P., Rowe, J., Tsafnat, G., Levitt, K. (2001). System Health and Intrusion Monitoring Using a Hierarchy of Constraints. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science, vol 2212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45474-8_12
Download citation
DOI: https://doi.org/10.1007/3-540-45474-8_12
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42702-5
Online ISBN: 978-3-540-45474-8
eBook Packages: Springer Book Archive