An Efficient Technique for Preventing Mimicry and Impossible Paths Execution Attacks

In this paper we propose a new strategy for dealing with the impossible path execution (IPE) and the mimicry attack in the N-gram based HIDS model. Our strategy is based on a kernel-level module which interacts with an underlying HIDS and whose main scope is to "randomize" sequences of system calls produced by an application to make them unpredictable by any attacker. We implemented a prototype of such a module on a Linux system in order to experimentally verify the feasibility and efficacy of our idea. The results obtained are quite encouraging, furthermore it turned out that our module is quite efficient, as it affected the performance of a testbed Web server with a slowdown factor of only 5.9%.

[1]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[2]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[3]  Wenliang Du,et al.  Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths , 2004, RAID.

[4]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[5]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[6]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[7]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[8]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[9]  Christopher Krügel,et al.  Automating Mimicry Attacks Using Static Binary Analysis , 2005, USENIX Security Symposium.

[10]  Somesh Jha,et al.  Detecting Manipulated Remote Call Streams , 2002, USENIX Security Symposium.

[11]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .