Efficient Intrusion Detection Based on Static Analysis and Stack Walks
Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic’s. Thereby, we alleviate the conflict between precision and efficiency.
Unable to display preview. Download preview PDF.
- 2.Feng, H.H., Giffin, J.T., Huang, Y., Jha, S., Lee, W., Miller, B.P.: Formalizing sensitivity in static analysis for intrusion detection. In: 2004 IEEE Symposium on Security and Privacy, pp. 194–208. IEEE Press, California (2004)Google Scholar
- 4.Wagner, D., Dean, D.: Intrusion detection via static analysis. In: 2001 IEEE Symposium on Security and Privacy, p. 156. IEEE Press, Oakland (2001)Google Scholar
- 7.Feng, H., Kolesnikov, P.F., Lee, W.: Anomaly detection using call stack information. In: 2003 IEEE Symposium on Security and Privacy, p. 62. IEEE Press, Los Alamitos (2003)Google Scholar
- 10.Feng, H.: Dynamic monitoring and static analysis: new approaches for intrusion detection. PhD Dissertation, University of Massachusetts Amherst (2005)Google Scholar
- 11.Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: 6th Symposium on Operating Systems Design and Implementation, pp. 147–160. USENIX Association, Seattle (2006)Google Scholar
- 12.Giffin, J.T., Jha, S., Lee, W., Miller, B.P.: Efficient context-sensitive intrusion detection. In: 11th Annual Network and Distributed Systems Security Symposium. Internet Society, San Diego (2004)Google Scholar
- 13.Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iver, R.K.: Non-control- data attacks are realistic threats. In: 14th USENIX Security Symposium, pp. 1–12. USENIX Association, Baltimore (2005)Google Scholar