FLIPS: Hybrid Adaptive Intrusion Prevention

Intrusion detection systems are fundamentally passive and fail–open. Because their primary task is classification, they do nothing to prevent an attack from succeeding. An intrusion prevention system (IPS) adds protection mechanisms that provide fail–safe semantics, automatic response capabilities, and adaptive enforcement. We present FLIPS (Feedback Learning IPS), a hybrid approach to host security that prevents binary code injection attacks. It incorporates three major components: an anomaly-based classifier, a signature-based filtering scheme, and a supervision framework that employs Instruction Set Randomization (ISR). Since ISR prevents code injection attacks and can also precisely identify the injected code, we can tune the classifier and the filter via a learning mechanism based on this feedback. Capturing the injected code allows FLIPS to construct signatures for zero-day exploits. The filter can discard input that is anomalous or matches known malicious input, effectively protecting the application from additional instances of an attack – even zero-day attacks or attacks that are metamorphic in nature. FLIPS does not require a known user base and can be deployed transparently to clients and with minimal impact on servers. We describe a prototype that protects HTTP servers, but FLIPS can be applied to a variety of server and client applications.

[1]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[2]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[3]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[4]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[5]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[6]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[7]  Salvatore J. Stolfo,et al.  An Email Worm Vaccine Architecture , 2005, ISPEC.

[8]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[9]  George M. Mohay,et al.  Network-Based Buffer Overflow Detection by Exploit Code Analysis , 2004 .

[10]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[11]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[12]  Salvatore J. Stolfo Worm and Attack Early Warning , 2004, IEEE Secur. Priv..

[13]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[14]  Angelos D. Keromytis,et al.  Application communities: using monoculture for dependability , 2005 .

[15]  George Candea,et al.  Crash-Only Software , 2003, HotOS.

[16]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[17]  Jesse C. Rabek,et al.  Detection of injected, dynamically generated, and obfuscated malicious code , 2003, WORM '03.

[18]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[19]  M.E. Locasto,et al.  Towards collaborative security and P2P intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[20]  Christopher Krügel,et al.  Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.

[21]  Angelos D. Keromytis,et al.  A cooperative immunization system for an untrusting Internet , 2003, The 11th IEEE International Conference on Networks, 2003. ICON2003..

[22]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[23]  Angelos D. Keromytis,et al.  Building a Reactive Immune System for Software Services , 2005, USENIX Annual Technical Conference, General Track.

[24]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[25]  Angelos D. Keromytis,et al.  Detecting Targeted Attacks Using Shadow Honeypots , 2005, USENIX Security Symposium.

[26]  James C. Reynolds,et al.  On-line intrusion detection and attack prevention using diversity, generate-and-test, and generalization , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[27]  David H. Ackley,et al.  Randomized instruction set emulation , 2005, TSEC.

[28]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[29]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[30]  Angelos D. Keromytis,et al.  A network worm vaccine architecture , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[31]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[32]  Tzi-cker Chiueh,et al.  DIRA: Automatic Detection, Identification and Repair of Control-Hijacking Attacks , 2005, NDSS.

[33]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[34]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[35]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[36]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[37]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[38]  Martin Rinard,et al.  Automatic Data Structure Repair for Self-Healing Systems , 2003 .