Advertisement

Efficient Intrusion Detection Based on Static Analysis and Stack Walks

  • Jingyu Hua
  • Mingchu Li
  • Kouichi Sakurai
  • Yizhi Ren
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5824)

Abstract

Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic’s. Thereby, we alleviate the conflict between precision and efficiency.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Forrest, S., Longstaff, T.: A sense of self for unix processes. In: 1996 IEEE Symposium on Security and Privacy, pp. 120–128. IEEE Press, Oakland (1996)CrossRefGoogle Scholar
  2. 2.
    Feng, H.H., Giffin, J.T., Huang, Y., Jha, S., Lee, W., Miller, B.P.: Formalizing sensitivity in static analysis for intrusion detection. In: 2004 IEEE Symposium on Security and Privacy, pp. 194–208. IEEE Press, California (2004)Google Scholar
  3. 3.
    Gopalakrishna, R., Spafford, E.H., Vitek, J.: Efficient Intrusion Detection using Automaton Inlining. In: 2005 IEEE Symposium on Security and Privacy, pp. 18–21. IEEE Press, Washington (2005)CrossRefGoogle Scholar
  4. 4.
    Wagner, D., Dean, D.: Intrusion detection via static analysis. In: 2001 IEEE Symposium on Security and Privacy, p. 156. IEEE Press, Oakland (2001)Google Scholar
  5. 5.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: 9th ACM Conference on Computer and Communications Security, pp. 255–264. ACM Press, Washington (2002)CrossRefGoogle Scholar
  6. 6.
    Saidi, H.: Guarded Models for Intrusion Detection. In: 2007 Workshop on Programming languages and analysis for security, pp. 85–94. ACM Press, San Diego (2007)CrossRefGoogle Scholar
  7. 7.
    Feng, H., Kolesnikov, P.F., Lee, W.: Anomaly detection using call stack information. In: 2003 IEEE Symposium on Security and Privacy, p. 62. IEEE Press, Los Alamitos (2003)Google Scholar
  8. 8.
    Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: 11th ACM Conference on Computer and Communications Security, pp. 318–329. ACM Press, Washington (2004)CrossRefGoogle Scholar
  9. 9.
    Giffin, J.T., Dagon, S., Jha, S., Lee, W., Miller, B.P.: Environment-sensitive intrusion detection. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 185–206. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Feng, H.: Dynamic monitoring and static analysis: new approaches for intrusion detection. PhD Dissertation, University of Massachusetts Amherst (2005)Google Scholar
  11. 11.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: 6th Symposium on Operating Systems Design and Implementation, pp. 147–160. USENIX Association, Seattle (2006)Google Scholar
  12. 12.
    Giffin, J.T., Jha, S., Lee, W., Miller, B.P.: Efficient context-sensitive intrusion detection. In: 11th Annual Network and Distributed Systems Security Symposium. Internet Society, San Diego (2004)Google Scholar
  13. 13.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iver, R.K.: Non-control- data attacks are realistic threats. In: 14th USENIX Security Symposium, pp. 1–12. USENIX Association, Baltimore (2005)Google Scholar
  14. 14.
    Hopcroft, J., Motwani, R., Ullman, J.: Introduction to Automata Theory, Languages, and Computation. Addison Wesley, New Jersey (2001)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jingyu Hua
    • 1
  • Mingchu Li
    • 1
  • Kouichi Sakurai
    • 2
  • Yizhi Ren
    • 1
    • 2
  1. 1.School of SoftwareDalian University of TechnologyDalianChina
  2. 2.Dept.of Computer Science and Communication Engineeringkyushu UniversityFukuokaJapan

Personalised recommendations