Abstract
Host-based Intrusion Detection Systems (IDS) that rely on audit data exhibit a delay between attack execution and attack detection. A knowledgeable attacker can use this delay to disable the IDS, often by executing an attack that increases privilege. To prevent this we have begun to develop a system to detect these attacks before they are executed. The system separates incoming data into several categories, each of which is summarized using feature statistics that are combined to estimate the posterior probability that the data contains attack code. Our work to date has focused on detecting attacks embedded in shell code and C source code. We have evaluated this system by constructing large databases of normal and attack software written by many people, selecting features and training classifiers, then testing the system on a disjoint corpus of normal and attack code. Results show that such attack code can be detected accurately.
This work was sponsored by the Department of the Air Force under Air Force contract F19628-00-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Air Force.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cunningham, R., Rieser, A.: Detecting Source Code of Attacks that Increase Privilege. presented at RAID 2000, Toulouse, France, Oct 1-4 (2000)
Debar, H., Becker, M., Siboni, D.: A Neural Network Component for an Intrusion Detection System. presented at IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, California (1992)
Lippmann, R., Cunningham, R.: Improving Intrusion Detection Performance using Keyword Selection and Neural Networks. Computer Networks 34 (2000) 597–603
Northcutt, S.: Network Intrusion Detection: An Analyst’s Handbook. New Riders (2001)
Wells, J.: Stalking the PC Virus Hot Zones. presented at Virus Bulletin Conference (1996)
Gryaznov, D.: Scanners of the Year 2000: Heuristics. presented at Virus Bulletin Conference (1995)
Arnold, W., Tesauro, G.: Automatically Generated Win32 Heuristic Virus Detection. presented at Virus Bulletin Conference (2000)
Vigna, G., Eckmann, S., Kemmerer, R.: The STAT Tool Suite. Proceedings of DISCEX 2000, IEEE Press (2000)
Lippmann, R., Cunningham R., Fried, D., Garfinkel, S., Gorton, A., Graf, I., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Zissman, M.: The 1998 DARPA/AFRL Off-Line Intrusion Detection Evaluation. presented at First International Workshop on Recent Advances in Intrusion Detection, Louvain-la-Neuve, Belgium (1998)
Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: Analysis and Results of the 1999 DARPA Off-line Intrusion Detection Evaluation. LNCS 1907 (2000) 162–182
Stange, S.: Virus Collection Management. presented at Virus Bulletin Conference (2000)
Blinn, B.: Portable Shell Programming: An Extensive Collection of Bourne Shell Examples. Prentice Hall (1995)
Newham, C., Rosenblatt, B.: Learning the Bash Shell. O’Reilly & Associates (1998)
Rosenblatt, B., Loukides, M.: Learning the Korn Shell. O’Reilly & Associates (1993)
http://www.anticode.com/. several dates prior to 15 October (2000)
Steele, G.: Common Lisp: The Language. Digital Press (1990)
http://www.gutenberg.net/. all texts published in (1990)
Fukunaga, K.: Introduction to Statistical Pattern Recognition. Academic Press (1990)
Kukolich, L., Lippmann, R.: LNKnet User’s Guide. MIT Lincoln Laboratory http://www.ll.mit.edu/IST/lnknet/ (2000)
Lippmann, R., Kukolich, L., Singer, E.: LNKnet: Neural Network, Machine Learning, and Statistical Software for Pattern Classification. Lincoln Laboratory Journal 6 (1993) 249–268
Swets, J.: The Relative Operating Characteristic in Psychology. Science 182 (1973) 990–1000
Martin, A., Doddington, G., Kamm, T., Ordowski, M., Przybocki, M.: The DET Curve Assessment of Detection Task Performance. ESCA Eurospeech97, Rhodes Greece (1997) 1895–1898
McMichael, D.: BARTIN: minimizing Bayes risk and incorporating priors using supervised learning networks. IEE Proceedings-F 139 (1992) 413–419
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cunningham, R.K., Stevenson, C.S. (2001). Accurately Detecting Source Code of Attacks That Increase Privilege. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science, vol 2212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45474-8_7
Download citation
DOI: https://doi.org/10.1007/3-540-45474-8_7
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42702-5
Online ISBN: 978-3-540-45474-8
eBook Packages: Springer Book Archive