Environment-sensitive intrusion detection
We perform host-based intrusion detection by constructing a model from
a program's binary code and then restricting the program's execution
by the model. We improve the effectiveness of such model-based
intrusion detection systems by incorporating into the model knowledge
of the environment in which the program runs, and by increasing the
accuracy of our models with a new data-flow analysis algorithm for
context-sensitive recovery of static data.
The environment configuration files, command-line parameters,
and environment variable constrains acceptable process
execution. Environment dependencies added to a program model update
the model to the current environment at every program execution.
Our new static data-flow analysis associates a program's data flows
with specific calling contexts that use the data. We use this analysis
to differentiate system-call arguments flowing from distinct call
sites in the program.
Using a new average reachability measure suitable for evaluation of
call-stack-based program models, we demonstrate that our techniques
improve the precision of several test programs' models from 76% to
Last modified: Thu Mar 23 14:02:04 CST 2006