Runtime Detection of Zero-Day Vulnerability Exploits in Contemporary Software Systems

Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9766)

Abstract

It is argued that runtime verification techniques can be used to identify unknown application security vulnerabilities that are a consequence of unexpected execution paths in software. A methodology is proposed that can be used to build a model of expected application execution paths during the software development cycle. This model is used at runtime to detect exploitation of unknown security vulnerabilities using anomaly detection style techniques. The approach is evaluated by considering its effectiveness in identifying 19 vulnerabilities across 26 versions of Apache Struts over a 5 year period.

Keywords

Anomaly Detection Method Call Execution Path Behavioral Norm Application Execution 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Notes

Acknowledgement

This work was supported, in part, by Science Foundation Ireland under grant SFI/12/RC/2289.

References

  1. 1.
    van der Aalst, et al.: Workflow mining: Discovering process models from event logs. IEEE Trans. Knowl. Data Eng. 16(9), 1128–1142 (2004)CrossRefGoogle Scholar
  2. 2.
    Ashraf, Z.: Analysis of recent struts vulnerabilities in parameters and cookie interceptors, their impact and exploitation. IBM Security Intelligence portal (2014). Accessed 21 May 2015Google Scholar
  3. 3.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection for discrete sequences: a survey. IEEE Trans. Knowl. Data Eng. 24(5), 823–839 (2012)CrossRefGoogle Scholar
  4. 4.
    Creech, G., Hu, J.: A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns. IEEE Trans. Comp. 63, 807–819 (2014)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Delgado, N., Gates, A.Q., Roach, S.: A taxonomy and catalog of runtime software-fault monitoring tools. IEEE Trans. Softw. Eng. 30(12), 859–872 (2004)CrossRefGoogle Scholar
  6. 6.
    Forrest, S., Hofmeyr, S., Somayaji, A.: The evolution of system-call monitoring. In: Proceedings of the Annual Computer Security Applications Conference (2008)Google Scholar
  7. 7.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy (1996)Google Scholar
  8. 8.
    Helman, P., Liepins, G.E.: Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Trans. Softw. Eng. 19(9), 886–901 (1993)CrossRefGoogle Scholar
  9. 9.
    Herzog, A., Shahmehri, N.: Performance of the java security manager. Comput. Secur. 24(3), 192–207 (2005)CrossRefGoogle Scholar
  10. 10.
    Hilsdale, E., Hugunin, J.: Advice weaving in AspectJ. In: Proceedings of the 3rd International Conference on Aspect-Oriented Software Development (2004)Google Scholar
  11. 11.
    Holzmann, G.J.: Code inflation. IEEE Softw. 32(2), 10–13 (2015)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Depend. Secur. Comput. 7, 381–395 (2010)CrossRefGoogle Scholar
  13. 13.
    Oliveira, D., et al.: It’s the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer’s blind spots. In: Proceedings of the Annual Computer Security Applications Conference (2014)Google Scholar
  14. 14.
    Patcha, A., Park, J.M.: An overview of anomaly detection techniques: existing solutions and latest technological trends. Comput. Netw. 51(12), 3448–3470 (2007)CrossRefGoogle Scholar
  15. 15.
    Pieczul, O., Foley, S.: Discovering emergent norms in security logs. In: 2013 IEEE Conference on Communications and Network Security (SafeConfig) (2013)Google Scholar
  16. 16.
    Pieczul, O., Foley, S.: The dark side of the code. In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2015. LNCS, vol. 9379, pp. 1–11. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-26096-9_1 CrossRefGoogle Scholar
  17. 17.
    Raman, P.: JaSPIn: JavaScript based Anomaly Detection of Cross-site scripting attacks. Master’s thesis, Carleton University (2008)Google Scholar
  18. 18.
    Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection (2002)Google Scholar
  19. 19.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: ACM Conference on Computer and Communications Security (2002)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Ireland LabIBMDublinIreland
  2. 2.Department of Computer ScienceUniversity College CorkCorkIreland

Personalised recommendations