Intrusion detection via static analysis

One of the primary challenges in intrusion detection is modelling typical application behavior so that we can recognize attacks by their atypical effects without raising too many false alarms. We show how static analysis may be used to automatically derive a model of application behavior. The result is a host-based intrusion detection system with three advantages: a high degree of automation, protection against a broad class of attacks based on corrupted code, and the elimination of false alarms. We report on our experience with a prototype implementation of this technique.

[1]  Daniel H. Younger,et al.  Recognition and Parsing of Context-Free Languages in Time n^3 , 1967, Inf. Control..

[2]  EarleyJay An efficient context-free parsing algorithm , 1970 .

[3]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[4]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[5]  守屋 悦朗,et al.  J.E.Hopcroft, J.D. Ullman 著, "Introduction to Automata Theory, Languages, and Computation", Addison-Wesley, A5変形版, X+418, \6,670, 1979 , 1980 .

[6]  Walter L. Ruzzo,et al.  An Improved Context-Free Recognizer , 1980, ACM Trans. Program. Lang. Syst..

[7]  Jay Earley,et al.  An efficient context-free parsing algorithm , 1970, Commun. ACM.

[8]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[9]  Masaru Tomita,et al.  An Efficient Augmented-Context-Free Parsing Algorithm , 1987, Comput. Linguistics.

[10]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[11]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[12]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[13]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[14]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[15]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[16]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[17]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[18]  Susan Horwitz,et al.  Fast and accurate flow-insensitive points-to analysis , 1997, POPL '97.

[19]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[20]  Pierre Wolper,et al.  Verifying Systems with Infinite but Regular State Spaces , 1998, CAV.

[21]  David A. Schmidt Data flow analysis is model checking of abstract interpretations , 1998, POPL '98.

[22]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[23]  Bernhard Steffen,et al.  Model Checking the Full Modal mu-Calculus for Infinite Sequential Processes , 1997, Theor. Comput. Sci..

[24]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[25]  MorrisettGreg,et al.  From system F to typed assembly language , 1999 .

[26]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[27]  Olaf Burkart,et al.  Automatic Verification of Sequential Infinite-State Processes , 1998, Lecture Notes in Computer Science.

[28]  David Wagner,et al.  Static analysis and computer security: new techniques for software assurance , 2000 .

[29]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[30]  Massimo Bernaschi,et al.  Operating system enhancements to prevent the misuse of system calls , 2000, CCS.

[31]  Patrick Cousot,et al.  Temporal abstract interpretation , 2000, POPL '00.

[32]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[33]  Calvin Ko,et al.  Logic induction of valid behavior specifications for intrusion detection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[34]  Thomas Colcombet,et al.  Enforcing trace properties by program transformation , 2000, POPL '00.

[35]  Marcus Nilsson,et al.  Regular Model Checking , 2000, CAV.

[36]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].