Expressive, Efficient and Obfuscation Resilient Behavior Based IDS

Behavior based intrusion detection systems (BIDS) offer the only effective solution against modern malware. While dynamic BIDS have obvious advantages, their success hinges upon three interrelated factors: signature expressiveness, vulnerability to behavioral obfuscation and run-time efficiency of signature matching. To achieve higher signature expressiveness, a new approach for formal specification of the malicious functionalities based on abstract activity diagrams (AD) which incorporate multiple realizations of the specified functionality. We analyzed both inter and intra-process behavioral obfuscation techniques that can compromise existing BIDS. As a solution, we proposed specification generalization that implies augmenting (generalizing) otherwise obfuscation prone specification into more generic, obfuscation resilient specification. We suggest colored Petri nets as a basis for functionality recognition at the system call level. We implemented a prototype IDS that has been evaluated on malicious and legitimate programs. The experimental results indicated extremely low false positives and negatives. Moreover, the IDS shows very low execution overhead and negligible overhead penalty due to anti-obfuscation generalization.

[1]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[2]  R. Sekar,et al.  A practical mimicry attack against powerful system-call monitors , 2008, ASIACCS '08.

[3]  R. Sekar,et al.  On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[4]  Xia Wang,et al.  Software fault tree and coloured Petri net-based specification, design and implementation of agent-based intrusion detection systems , 2007, Int. J. Inf. Comput. Secur..

[5]  Victor A. Skormin,et al.  Large-scale Reconfigurable Virtual Testbed for Information Security Experiments , 2007, 2007 3rd International Conference on Testbeds and Research Infrastructure for the Development of Networks and Communities.

[6]  Jean-Philippe Pouzol,et al.  From Declarative Signatures to Misuse IDS , 2001, Recent Advances in Intrusion Detection.

[7]  Neil D. Jones,et al.  Complexity of Some Problems in Petri Nets , 1977, Theor. Comput. Sci..

[8]  Eric Filiol,et al.  Formalisation and implementation aspects of K-ary (malicious) codes , 2007, Journal in Computer Virology.

[9]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[10]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[11]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[12]  Deborah A. Frincke,et al.  Planning, Petri Nets, and Intrusion Detection , 1998 .

[13]  Somesh Jha,et al.  A Layered Architecture for Detecting Malicious Behaviors , 2008, RAID.

[14]  Victor A. Skormin,et al.  Detection of Specific Semantic Functionalities, such as Self-Replication Mechanism, in Malware Using Colored Petri Nets , 2009, Security and Management.

[15]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[16]  Victor A. Skormin,et al.  Detection of Worm Propagation Engines in the System Call Domain using Colored Petri Nets , 2008, 2008 IEEE International Performance, Computing and Communications Conference.

[17]  Peter Linz,et al.  An Introduction to Formal Languages and Automata , 1997 .

[18]  Sushil Jajodia,et al.  Abstraction-based intrusion detection in distributed environments , 2001, TSEC.

[19]  Mark Russinovich,et al.  Microsoft Windows Internals : Microsoft Windows Server 2003, Windows XP, and Windows 2000 , 2005 .

[20]  Kurt Jensen,et al.  Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use. Vol. 2, Analysis Methods , 1992 .

[21]  Heng Yin,et al.  Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[22]  Kurt Jensen,et al.  Coloured Petri nets (2nd ed.): basic concepts, analysis methods and practical use: volume 1 , 1996 .

[23]  Gerald Quirchmayr,et al.  Transaction pseudonyms in mobile environments , 2007, Journal in Computer Virology.

[24]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[25]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[26]  Ludovic Mé,et al.  ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection , 2001, SEC.

[27]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[28]  Michael Meier,et al.  SHEDEL-A Simple Hierarchical Event Description Language for Specifying Attack Signatures , 2002, SEC.