Application-based anomaly intrusion detection with dynamic information flow analysis

This paper presents a new approach to detecting software security failures, whose primary goal is facilitating identification and repair of security vulnerabilities rather than permitting online response to attacks. The approach is based on online capture of executions and offline execution replay, profiling, and analysis. It employs fine-grained dynamic information flow analysis in conjunction with anomaly detection. This approach, which we call information flow anomaly detection, is capable of detecting a variety of security failures, including both ones that involve violations of confidentiality or integrity requirements and ones that do not. A prototype tool called DynFlow implementing the approach has been developed for use with Java byte code programs. To illustrate the potential of the approach, it is applied to detect security failures of four open source systems. Also, its effectiveness is compared to the effectiveness of an approach to anomaly detection that is based on analyzing method call stacks.

[1]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[2]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[3]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[4]  Rajiv Gupta,et al.  Unified control flow and data dependence traces , 2007, TACO.

[5]  Christophe Bidan,et al.  Experimenting with a policy-based HIDS based on an information flow control model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[6]  Kymie M. C. Tan,et al.  Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits , 2002, RAID.

[7]  Andy Podgurski,et al.  Dynamic information flow analysis, slicing and profiling , 2005 .

[8]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[9]  Stephen McCamant,et al.  Quantitative Information-Flow Tracking for C and Related Languages , 2006 .

[10]  W. Masri,et al.  An empirical evaluation of test case filtering techniques based on exercising complex information flows , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[11]  Anil K. Jain,et al.  Algorithms for Clustering Data , 1988 .

[12]  Andy Podgurski,et al.  Using dynamic information flow analysis to detect attacks against applications , 2005, SOEN.

[13]  David Leon,et al.  Finding failures by cluster analysis of execution profiles , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[14]  Atif M. Memon,et al.  Call stack coverage for test suite reduction , 2005, 21st IEEE International Conference on Software Maintenance (ICSM'05).

[15]  David Leon,et al.  An Empirical Study of Test Case Filtering Techniques Based on Exercising Information Flows , 2007, IEEE Transactions on Software Engineering.

[16]  Andy Podgurski,et al.  Memoized Forward Computation of Dynamic Slices , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[17]  David Leon,et al.  Pursuing failure: the distribution of program failures in a profile space , 2001, ESEC/FSE-9.

[18]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[19]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[20]  Alessandro Orso,et al.  Selective capture and replay of program executions , 2005, WODA '05.

[21]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[22]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[23]  John Steven,et al.  jRapture: A Capture/Replay tool for observation-based testing , 2000, ISSTA '00.

[24]  Stephen McCamant,et al.  A simulation-based proof technique for dynamic information flow , 2007, PLAS '07.

[25]  Xiangyu Zhang,et al.  Cost and precision tradeoffs of dynamic data slicing algorithms , 2005, TOPL.

[26]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[27]  Christophe Bidan,et al.  An Improved Reference Flow Control Model for Policy-Based Intrusion Detection , 2003, ESORICS.

[28]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[29]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[30]  David Leon,et al.  Detecting and debugging insecure information flows , 2004, 15th International Symposium on Software Reliability Engineering.

[31]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..