Application Data Consistency Checking for Anomaly Based Intrusion Detection

Host-based intrusion detection systems may be coarsely divided into two categories. Misuse-based intrusion detection systems, which rely on a database of malicious behavior; and anomaly-based intrusion detection systems which rely on the comparison of the observed behavior of the monitored application with a previously built model of its normal behavior called the reference profile. In this last approach, the reference profile is often built on the basis of the sequence of system calls the application emits during its normal executions. Unfortunately, this approach allows attackers to remain undetected by mimicing the attempted behavior of the application. Furthermore, such intrusion detection systems cannot by nature detect anything but violations of the integrity of the control flow of an application. Although, there exist quite critical attacks which do not disturb the control flow of an application and thus remain undetected. We thus propose a different approach relying on the idea that attacks often break simple constraints on the data manipulated by the program. In this perspective, we first propose to define which data are sensitive to intrusions. Then we intend to extract the constraints applying on these data items, afterwards controlling them to detect intrusions. We finally introduce an implementation of such an approach, and some encouraging results.

[1]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[2]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[3]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[4]  Dieter Gollmann,et al.  Computer Security — ESORICS 94 , 1994, Lecture Notes in Computer Science.

[5]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[6]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[7]  R. Sekar,et al.  Anomalous Taint Detection , 2008, RAID.

[8]  Bruno d'Ausbourg,et al.  Implementing Secure Dependencies over a Network by Designing a Distributed Security SubSystem , 1996, J. Comput. Secur..

[9]  Debin Gao,et al.  Gray-box extraction of execution graphs for anomaly detection , 2004, CCS '04.

[10]  Todd M. Austin,et al.  High Coverage Detection of Input-Related Security Faults , 2003, USENIX Security Symposium.

[11]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[12]  Nicholas Nethercote,et al.  How to shadow every byte of memory used by a program , 2007, VEE '07.

[13]  R. Sekar,et al.  Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[14]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[15]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[16]  R. Sekar,et al.  A practical mimicry attack against powerful system-call monitors , 2008, ASIACCS '08.

[17]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[18]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[19]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[20]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.