Skip to main content
SpringerLink
Log in

Using Static Program Analysis to Aid Intrusion Detection

  • Conference paper
Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4064))

Abstract

The Internet, and in particular the world-wide web, have become part of the everyday life of millions of people. With the growth of the web, the demand for on-line services rapidly increased. Today, whole industry branches rely on the Internet to do business. Unfortunately, the success of the web has recently been overshadowed by frequent reports of security breaches. Attackers have discovered that poorly written web applications are the Achilles heel of many organizations. The reason is that these applications are directly available through firewalls and are often developed by programmers who focus on features and tight schedules instead of security.

In previous work, we developed an anomaly-based intrusion detection system that uses learning techniques to identify attacks against web-based applications. That system focuses on the analysis of the request parameters in client queries, but does not take into account any information about the protected web applications themselves. The result are imprecise models that lead to more false positives and false negatives than necessary.

In this paper, we describe a novel static source code analysis approach for PHP that allows us to incorporate information about a web application into the intrusion detection models. The goal is to obtain a more precise characterization of web request parameters by analyzing their usage by the program. This allows us to generate more precise intrusion detection models. In particular, our analysis allows us to determine the names of request parameters expected by a program and provides information about their types, structure, or even concrete value sets. Our experimental evaluation demonstrates that the information derived statically from web applications closely characterizes the parameter values observed in real-world traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. In: Usenix Security Symposium (1998)

    Google Scholar 

  2. Lindqvist, U., Porras, P.: Detecting Computer and Network Misuse with the Production-Based Expert System Toolset (P-BEST). In: IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  3. Vigna, G., Valeur, F., Kemmerer, R.: Designing and Implementing a Family of IDSs. In: 9th European Software Engineering Conference (2003)

    Google Scholar 

  4. Denning, D.: An Intrusion Detection Model. IEEE Transactions on Software Engineering 13(2) (1987)

    Google Scholar 

  5. Ko, C., Ruschitzka, M., Levitt, K.: Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-based Approach. In: IEEE Symposium on Security and Privacy (1997)

    Google Scholar 

  6. Kruegel, C., Vigna, G.: 10th ACM Conference on Computer and Communications Security (CCS) (2003)

    Google Scholar 

  7. Goldberg, I., Wagner, D., Thomas, R., Brewer, E.: A Secure Environment for Untrusted Helper Applications. In: Usenix Security Symposium (1996)

    Google Scholar 

  8. Provos, N.: Improving Host Security with System Call Policies. In: Usenix Security Symposium (2003)

    Google Scholar 

  9. Chari, S., Cheng, P.: BlueBoX: A Policy-driven, Host-Based IDS. In: Symposium on Network and Distributed System Security (NDSS) (2002)

    Google Scholar 

  10. Zend Corporation, PHP: Hypertext Preprocessor (2006), http://www.php.net/

  11. Lee, W., Stolfo, S., Mok, K.: Mining in a Data-flow Environment: Experience in Network Intrusion Detection. In: ACM International Conference on Knowledge Discovery & Data Mining (KDD) (1999)

    Google Scholar 

  12. Javitz, H., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: IEEE Symposium on Security and Privacy (1991)

    Google Scholar 

  13. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy (1996)

    Google Scholar 

  14. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  15. Ganapathy, V., Jha, S., Chandler, D., Melski, D., Vitek, D.: Buffer overrun detection using linear programming and static analysis. In: ACM Conference on Computer and Communications Security (CCS) (2003)

    Google Scholar 

  16. Larochelle, D., Evans, D.: Statically Detecting Likely Buffer Overflow Vulnerabilities. In: Usenix Security Symposium (2001)

    Google Scholar 

  17. Wagner, D., Foster, J., Brewer, E., Aiken, A.: A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. In: Network and Distributed System Security (NDSS) (2000)

    Google Scholar 

  18. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  19. Chen, H., Dean, D., Wagner, D.: Model Checking One Million Lines of C Code. In: Network and Distributed System Security (NDSS) (2004)

    Google Scholar 

  20. Chen, H., Wagner, D.: MOPS: An infrastructure for examining security properties of software. In: ACM Conference on Computer and Communications Security (CCS) (2002)

    Google Scholar 

  21. Ashcraft, K., Engler, D.: Using Programmer-Written Compiler Extensions to Catch Security Holes. In: IEEE Symposium on Security and Privacy (2002)

    Google Scholar 

  22. Engler, D., Chen, D., Hallem, S., Chou, A., Chelf, B.: Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code. In: ACM Symposium on Operating Systems Principles (2001)

    Google Scholar 

  23. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  24. Giffin, J., Jha, S., Miller, B.: Detecting Manipulated Remote Call Streams. In: Usenix Security Symposium (2002)

    Google Scholar 

  25. Giffin, J., Jha, S., Miller, B.: Efficient context-sensitive intrusion detection. In: Network and Distributed System Security Symposium (NDSS) (2004)

    Google Scholar 

  26. Lam, L.C., Chiueh, T.-c.: Automatic Extraction of Accurate Application-Specific Sandboxing Policy. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 1–20. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  27. Feng, H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly Detection using Call Stack Information. In: IEEE Symposium on Security and Privacy (2003)

    Google Scholar 

  28. Feng, H., Giffin, J., Huang, Y., Jha, S., Lee, W., Miller, B.: Formalizing Sensitivity in Static Analysis for Intrusion Detection. In: IEEE Symposium on Security and Privacy (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Secure Systems Lab, Technical University Vienna,  

    Manuel Egele, Martin Szydlowski, Engin Kirda & Christopher Kruegel

Authors
  1. Manuel Egele
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Szydlowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Engin Kirda
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. RWE AG, Opernplatz 1, 45128, Essen, Germany

    Roland Büschkes

  2. Wilhelm-Schickard-Institute for Computer Science, University of Tübingen, Tübingen, Germany

    Pavel Laskov

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Egele, M., Szydlowski, M., Kirda, E., Kruegel, C. (2006). Using Static Program Analysis to Aid Intrusion Detection. In: Büschkes, R., Laskov, P. (eds) Detection of Intrusions and Malware & Vulnerability Assessment. DIMVA 2006. Lecture Notes in Computer Science, vol 4064. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11790754_2

Download citation

  • DOI: https://doi.org/10.1007/11790754_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-36014-8

  • Online ISBN: 978-3-540-36017-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation