Generating profile-based signatures for online intrusion and failure detection

Context: Program execution profiles have been extensively and successfully used in several dynamic analysis fields such as software testing and fault localization. Objective: This paper presents a pattern-matching approach implemented as an application-based intrusion (and failure) detection system that operates on signatures generated from execution profiles. Such signatures are not descriptions of exploits, i.e. they do not depend on the syntax or semantics of the exploits, but instead are descriptions of program events that correlate with the exploitation of program vulnerabilities. Method: A vulnerability exploit is generally correlated with the execution of a combination of program elements, such as statements, branches, and definition-use pairs. In this work we first analyze the execution profiles of a vulnerable application in order to identify such suspicious combinations, define signatures that describe them, and consequently deploy these signatures within an intrusion detection system that performs online signature matching. Results: To evaluate our approach, which is also applicable to online failure detection, we implemented it for the Java platform and applied it onto seven open-source applications containing 30 vulnerabilities/defects for the purpose of the online detection of attacks/ failures. Our results showed that our approach worked very well for 26 vulnerabilities/defects (86.67%) and the overhead imposed by the system is somewhat acceptable as it varied from 46% to 102%. The exhibited average rates of false negatives and false positives were 0.43% and 1.03%, respectively. Conclusion: Using profile-based signatures for online intrusion and failure detection was shown to be effective.

[1]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[2]  Gregg Rothermel,et al.  An empirical study of regression test selection techniques , 1998, Proceedings of the 20th International Conference on Software Engineering.

[3]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[4]  Andy Podgurski,et al.  Application-based anomaly intrusion detection with dynamic information flow analysis , 2008, Comput. Secur..

[5]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[6]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[7]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[8]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[9]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[10]  Wes Masri,et al.  Intrusion detection using signatures extracted from execution profiles , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[11]  Frederic P. Miller,et al.  Abandonware: Computer software, Copyright, Office suite, Public domain, List of commercial video games released as freeware, Orphan works , 2009 .

[12]  Wes Masri,et al.  Exploiting the empirical characteristics of program dependences for improved forward computation of dynamic slices , 2008, Empirical Software Engineering.

[13]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[14]  Mark Harman,et al.  Search Algorithms for Regression Test Case Prioritization , 2007, IEEE Transactions on Software Engineering.

[15]  George Candea,et al.  Combining Visualization and Statistical Analysis to Improve Operator Confidence and Efficiency for Failure Detection and Localization , 2005, Second International Conference on Autonomic Computing (ICAC'05).

[16]  Wenliang Du,et al.  Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths , 2004, RAID.

[17]  Andy Podgurski,et al.  Measuring the strength of information flows in programs , 2009, TSEM.

[18]  Haifeng Chen,et al.  Online Tracking of Component Interactions for Failure Detection and Localization in Distributed Systems , 2007, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[19]  Wes Masri,et al.  An empirical study of the factors that reduce the effectiveness of coverage-based fault localization , 2009, DEFECTS '09.

[20]  Gregg Rothermel,et al.  An empirical study of regression test selection techniques , 2001, ACM Trans. Softw. Eng. Methodol..

[21]  Michael D. Ernst,et al.  Dynamically discovering likely program invariants , 2000 .

[22]  Barry W. Boehm,et al.  What we have learned about fighting defects , 2002, Proceedings Eighth IEEE Symposium on Software Metrics.

[23]  David Brumley,et al.  Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software , 2006, NDSS.

[24]  Wes Masri,et al.  Cleansing Test Suites from Coincidental Correctness to Enhance Fault-Localization , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[25]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[26]  Lee J. White,et al.  Multivariate visualization in observation-based testing , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[27]  Amjad Nusayr,et al.  Using AOP for detailed runtime monitoring instrumentation , 2009, WODA '09.

[28]  Alessandro Orso,et al.  Are automated debugging techniques actually helping programmers? , 2011, ISSTA '11.

[29]  Andy Podgurski,et al.  An empirical study of the strength of information flows in programs , 2006, WODA '06.

[30]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[31]  Wes Masri,et al.  An algorithm for capturing variables dependences in test suites , 2011, J. Syst. Softw..

[32]  David Leon,et al.  An Empirical Study of Test Case Filtering Techniques Based on Exercising Information Flows , 2007, IEEE Transactions on Software Engineering.

[33]  Somesh Jha,et al.  Automated Discovery of Mimicry Attacks , 2006, RAID.

[34]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[35]  Daniel Jackson,et al.  Chopping: A Generalization of Slicing , 1994 .

[36]  Dae-Ki Kang,et al.  Learning classifiers for misuse and anomaly detection using a bag of system calls representation , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[37]  Heikki Mannila,et al.  Discovering Frequent Episodes in Sequences , 1995, KDD.

[38]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[39]  Wes Masri,et al.  Identifying Failure-Correlated Dependence Chains , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[40]  Wes Masri,et al.  Test case filtering and prioritization based on coverage of combinations of program elements , 2009, WODA '09.

[41]  Christopher Krügel,et al.  On the Detection of Anomalous System Call Arguments , 2003, ESORICS.

[42]  Sandeep Bhatkar,et al.  Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments , 2005 .

[43]  David Wile,et al.  SIGSOFT '94, Proceedings of the Second ACM SIGSOFT Symposium on Foundations of Software Engineering, New Orleans, Louisiana, USA, December 6-9, 1994 , 1994, SIGSOFT FSE.

[44]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[45]  Andy Podgurski,et al.  Algorithms and tool support for dynamic information flow analysis , 2009, Inf. Softw. Technol..

[46]  Alok Singh,et al.  A hybrid heuristic for the maximum clique problem , 2006, J. Heuristics.

[47]  A. Orso,et al.  Efficient and precise dynamic impact analysis using execute-after sequences , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[48]  Arnaud Gotlieb,et al.  Improving Constraint-Based Testing with Dynamic Linear Relaxations , 2007, The 18th IEEE International Symposium on Software Reliability (ISSRE '07).

[49]  John Steven,et al.  jRapture: A Capture/Replay tool for observation-based testing , 2000, ISSTA '00.

[50]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.

[51]  Das Amrita,et al.  Mining Association Rules between Sets of Items in Large Databases , 2013 .

[52]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[53]  Hao Wang,et al.  Creating Vulnerability Signatures Using Weakest Preconditions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[54]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[55]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[56]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[57]  Fadi A. Zaraket,et al.  Enhancing Fault Localization via Multivariate Visualization , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[58]  John T. Stasko,et al.  Visualization of test information to assist fault localization , 2002, ICSE '02.

[59]  Gregg Rothermel,et al.  Supporting Controlled Experimentation with Testing Techniques: An Infrastructure and its Potential Impact , 2005, Empirical Software Engineering.

[60]  Steve McConnell,et al.  Code Complete, Second Edition , 2004 .

[61]  Leonardo Mariani,et al.  Towards Self-Protecting Enterprise Applications , 2007, The 18th IEEE International Symposium on Software Reliability (ISSRE '07).