Efficient Context-Sensitive Intrusion Detection

Model-based intrusion detection compares a process's execution against a program model to detect intrusion attempts. Models constructed from static program analysis have historically traded precision for efficiency. We address this problem with our Dyck model, the first efficient statically-constructed context-sensitive model. This model specifies both the correct sequences of system calls that a program can generate and the stack changes occurring at function call sites. Experiments demonstrate that the Dyck model is an order of magnitude more precise than a context-insensitive finite state machine model. With null call squelching, a dynamic technique to bound cost, the Dyck model operates in time similar to the context-insensitive model.

We also present two static analysis techniques designed to counter mimicry and evasion attacks. Our branch analysis identifies between 32% and 64% of our test programs' system call sites as affecting control flow via their return values. Interprocedural argument capture of general values recovers 32% to 69% more arguments than previously reported techniques.
Somesh Jha
Last modified: Mon Jan 12 17:52:32 CST 2004