Taint-Enhanced Anomaly Detection

  • Lorenzo Cavallaro
  • R. Sekar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7093)

Abstract

Anomaly detection has been popular for a long time due to its ability to detect novel attacks. However, its practical deployment has been limited due to false positives. Taint-based techniques, on the other hand, can avoid false positives for many common exploits (e.g., code or script injection), but their applicability to a broader range of attacks (non-control data attacks, path traversals, race condition attacks, and other unknown attacks) is limited by the need for accurate policies on the use of tainted data. In this paper, we develop a new approach that combines the strengths of these approaches. Our combination is very effective, detecting attack types that have been problematic for taint-based techniques, while significantly cutting down the false positives experienced by anomaly detection. The intuitive justification for this result is that a successful attack involves unusual program behaviors that are exercised by an attacker. Anomaly detection identifies unusual behaviors, while fine-grained taint can filter out behaviors that do not seem controlled by attacker-provided data.

Keywords

Intrusion Detection Anomaly Detection System Call Detection Phase Structural Inference 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow anomaly detection. In: IEEE Security and Privacy (2006)Google Scholar
  2. 2.
    Cavallaro, L., Sekar, R.: Anomalous taint detection (extended abstract). In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 417–418. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-Control-Data Attacks Are Realistic Threats. In: USENIX Security Symposium (2005)Google Scholar
  4. 4.
    Feng, H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly Detection using Call Stack Information. In: IEEE Symposium on Security and Privacy (2003)Google Scholar
  5. 5.
    Fetzer, C., Susskraut, M.: Switchblade: enforcing dynamic personalized system call models. In: EuroSys (2008)Google Scholar
  6. 6.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy (1996)Google Scholar
  7. 7.
    Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: ACM CCS (October 2004)Google Scholar
  8. 8.
    Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: NDSS (2004)Google Scholar
  9. 9.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security (1998)Google Scholar
  10. 10.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security (JCS) 6(3), 151–180 (1998)CrossRefGoogle Scholar
  11. 11.
    Kong, J., Zou, C.C., Zhou, H.: Improving Software Security via Runtime Instruction-level Taint Checking. In: Workshop on Architectural and System Support for Improving Software Dependability (2006)Google Scholar
  12. 12.
    Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating Mimicry Attacks Using Static Binary Analysis. In: USENIX Security Symposium (2005)Google Scholar
  13. 13.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Li, P., Park, H., Gao, D., Fu, J.: Bridging the gap between data-flow and control-flow analysis for anomaly detection. In: Annual Computer Security Applications Conference (2008)Google Scholar
  15. 15.
    Liu, A., Jiang, X., Jin, J., Mao, F., Chen, J.: Enhancing System-Called-Based Intrusion Detection with Protocol Context. In: IARIA SECURWARE (August 2011)Google Scholar
  16. 16.
    Ming, J., Zhang, H., Gao, D.: Towards Ground Truthing Observations in Gray-Box Anomaly Detection. In: International Conference on Network and System Security (2011)Google Scholar
  17. 17.
    Mutz, D., Valeur, F., Kruegel, C., Vigna, G.: Anomalous System Call Detection. ACM Transactions on Information and System Security 9(1), 61–93 (2006)CrossRefGoogle Scholar
  18. 18.
    Mutz, D., Robertson, W., Vigna, G., Kemmerer, R.A.: Exploiting Execution Context for the Detection of Anomalous System Calls. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 1–20. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Newsome, J., Song, D.X.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: NDSS (2005)Google Scholar
  20. 20.
    Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications Using Precise Tainting (2005)Google Scholar
  21. 21.
    Parampalli, C., Sekar, R., Johnson, R.: A practical mimicry attack against powerful system-call monitors. In: AsiaCCS (2008)Google Scholar
  22. 22.
    Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Sarrouy, O., Totel, E., Jouga, B.: Building an Application Data Behavior Model for Intrusion Detection. In: Gudes, E., Vaidya, J. (eds.) Data and Applications Security XXIII. LNCS, vol. 5645, pp. 299–306. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Saxena, P., Sekar, R., Puranik, V.: Efficient fine-grained binary instrumentation with applications to taint-tracking. In: CGO (April 2008)Google Scholar
  25. 25.
    Sekar, R.: An efficient black-box technique for defeating web application attacks. In: NDSS (2009)Google Scholar
  26. 26.
    Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: IEEE Symposium on Security and Privacy (2001)Google Scholar
  27. 27.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: POPL (2006)Google Scholar
  28. 28.
    Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure Program Execution via Dynamic Information Flow Tracking. In: ASPLOS (2004)Google Scholar
  29. 29.
    Tandon, G., Chan, P.: Learning rules from system call arguments and sequences for anomaly detection. In: on Data Mining for Computer Security (2003)Google Scholar
  30. 30.
    Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy (2001)Google Scholar
  31. 31.
    Wagner, D., Soto, P.: Mimicry Attacks on Host Based Intrusion Detection Systems. In: ACM CCS (2002)Google Scholar
  32. 32.
    Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 110–129. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  33. 33.
    Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced Policy Enforcement: a Practical Approach to Defeat a Wide Range of Attacks. In: USENIX Security Symposium (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Lorenzo Cavallaro
    • 1
  • R. Sekar
    • 2
  1. 1.Department of Computer ScienceVrije UniversiteitAmsterdamThe Netherlands
  2. 2.Department of Computer ScienceStony Brook UniversityUSA

Personalised recommendations