Combining static analysis and dynamic learning to build accurate intrusion detection models

Anomaly detection based on monitoring of sequences of system calls has been shown to be an effective method for detection of previously unseen, potentially damaging attacks on hosts. This paper presents a new model for profiling normal program behavior for use in detection of intrusions that change application execution flow. This model is compact and efficient to operate and can be acquired using a combination of static analysis and dynamic learning. Our model (hybrid push down automata, HPDA) incorporates call stack information in the automata model and effectively captures the control flow of a program. Several important properties of the model are based on a unique correspondence relation between addresses and instructions within the model. These properties allow the HPDA to be acquired by dynamic analysis of an audit of the call stack log. Our strategy is to use static analysis to acquire a base model and then to use dynamic learning as a supplement to capture those aspects of behavior that are difficult to capture with static analysis due to techniques commonly used in modern programming environments. The model created by this combination method is shown to have a higher detection capability than models acquired by static analysis alone and a lower false positive rate than models acquired by dynamic learning alone.

[1]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[2]  Debin Gao,et al.  On Gray-Box Program Tracking for Anomaly Detection , 2004, USENIX Security Symposium.

[3]  Kymie M. C. Tan,et al.  "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[4]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[5]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[6]  Somesh Jha,et al.  Efficient Context-Sensitive Intrusion Detection , 2004, NDSS.

[7]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[8]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[9]  Somesh Jha,et al.  Detecting Manipulated Remote Call Streams , 2002, USENIX Security Symposium.

[10]  Zhen Liu,et al.  A comparison of input representations in neural networks: a case study in intrusion detection , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[11]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[12]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[13]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[14]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[15]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[16]  David Wagner,et al.  Static analysis and computer security: new techniques for software assurance , 2000 .

[17]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[18]  T. Lane,et al.  Sequence Matching and Learning in Anomaly Detection for Computer Security , 1997 .

[19]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[20]  Anup Ghosh,et al.  Simple, state-based approaches to program-based anomaly detection , 2002, TSEC.

[21]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.