Efficient Context-Sensitive Intrusion Detection
Model-based intrusion detection compares a process's execution against a
program model to detect intrusion attempts. Models constructed from static
program analysis have historically traded precision for efficiency. We
address this problem with our Dyck model, the first efficient
statically-constructed context-sensitive model. This model specifies both
the correct sequences of system calls that a program can generate and the
stack changes occurring at function call sites. Experiments demonstrate
that the Dyck model is an order of magnitude more precise than a
context-insensitive finite state machine model. With null call squelching,
a dynamic technique to bound cost, the Dyck model operates in time similar
to the context-insensitive model.
We also present two static analysis techniques designed to counter mimicry
and evasion attacks. Our branch analysis identifies between 32% and 64% of
our test programs' system call sites as affecting control flow via their
return values. Interprocedural argument capture of general values recovers
32% to 69% more arguments than previously reported techniques.
Download:[PS,PDF]
Somesh Jha
Last modified: Mon Jan 12 17:52:32 CST 2004