Intrusion Detection via Static Analysis

Similar documents
Transparent Monitoring of a Process Self in a Virtual Environment

Building accurate intrusion detection systems. Diego Zamboni Global Security Analysis Lab IBM Zürich Research Laboratory

Intrusion Detection Systems

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Intrusion Detection System (IDS)

How to Sandbox IIS Automatically without 0 False Positive and Negative

How to Automatically and Accurately Sandbox Microsoft IIS

Architecture Overview

Chapter 15 Operating System Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Network Security Algorithms

INTRUSION DETECTION SYSTEMS and Network Security

CSCE 465 Computer & Network Security

USING LOCAL NETWORK AUDIT SENSORS AS DATA SOURCES FOR INTRUSION DETECTION. Integrated Information Systems Group, Ruhr University Bochum, Germany

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Role of Anomaly IDS in Network

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Understanding Precision in Host Based Intrusion Detection

Chapter 9 Firewalls and Intrusion Prevention Systems

Honors Class (Foundations of) Informatics. Tom Verhoeff. Department of Mathematics & Computer Science Software Engineering & Technology

FIREWALL AND NAT Lecture 7a

Pushdown automata. Informatics 2A: Lecture 9. Alex Simpson. 3 October, School of Informatics University of Edinburgh als@inf.ed.ac.

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

NETWORK SECURITY (W/LAB) Course Syllabus

Speedy Signature Based Intrusion Detection System Using Finite State Machine and Hashing Techniques

Computer Security: Principles and Practice

Internetworking II: VPNs, MPLS, and Traffic Engineering

Intrusion Detection for Mobile Ad Hoc Networks

Introduction of Intrusion Detection Systems

Automating Mimicry Attacks Using Static Binary Analysis

Firewall Firewall August, 2003

Compiler Construction

Network- vs. Host-based Intrusion Detection

Transport Layer Protocols

STANDPOINT FOR QUALITY-OF-SERVICE MEASUREMENT

An Alternative Model Of Virtualization Based Intrusion Detection System In Cloud Computing

INTRUSION PREVENTION AND EXPERT SYSTEMS

Korset: Automated, Zero False-Alarm Intrusion Detection for Linux

Intrusion Detection System using Log Files and Reinforcement Learning

Fast nondeterministic recognition of context-free languages using two queues

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Applied Security Lab 2: Personal Firewall

Korset: Code-based Intrusion Detection for Linux

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Lab Configure IOS Firewall IDS

Cloud Computing. Up until now

SURVEY OF INTRUSION DETECTION SYSTEM

DESIGN AND VERIFICATION OF LSR OF THE MPLS NETWORK USING VHDL

Automatic Application-Specific Sandboxing for Win32/X86 Binaries

Computer Security DD2395

An Inspection on Intrusion Detection and Prevention Mechanisms

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Firewalls P+S Linux Router & Firewall 2013

Intrusion Detection Systems (IDS)

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Secure Software Programming and Vulnerability Analysis

find model parameters, to validate models, and to develop inputs for models. c 1994 Raj Jain 7.1

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

SECURING AN INTEGRATED SCADA SYSTEM. Technical Paper April 2007

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

THE PROBLEM WORMS (1) WORMS (2) THE PROBLEM OF WORM PROPAGATION/PREVENTION THE MINIMUM VERTEX COVER PROBLEM

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Application Intrusion Detection

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

Software Defined Networks

Lecture 9. Semantic Analysis Scoping and Symbol Table

Firewalls and Intrusion Detection

How To Protect Your Network From Attack

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Firewalls. Ahmad Almulhem March 10, 2012

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

How To Understand The Power Of The Internet

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

On Gray-Box Program Tracking for Anomaly Detection

What is Web Security? Motivation

Firewall Environments. Name

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

FIRE-ROUTER: A NEW SECURE INTER-NETWORKING DEVICE

How To Protect A Network From Attack From A Hacker (Hbss)

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

B&B ELECTRONICS WHITE PAPER. Managed Ethernet Switches - Key Features for a Powerful Industrial Network

VLANs. Application Note

Computer Security. What is Auditing? Policies CIS Prevention Deterrence. Detection. Response Recovery 2. Auditing Chapter 24.

T Reactive Systems: Introduction and Finite State Automata

Transcription:

Intrusion Detection via Static Analysis IEEE Symposium on Security & Privacy 01 David Wagner Drew Dean Presented by Yongjian Hu

Outline Introduction Motivation Models Trivial model Callgraph model Abstract stack model Digraph model Implementation Evaluation

Introduction IPS: Intrusion Prevention System Find buffer overflows and remove them Use firewall to filter out malicious network traffic IDS: Intrusion Detection System Is what you do after prevention has failed Detect attack in progress Network traffic patterns, suspicious system calls, etc

Introduction Host-based IDS Monitor activity on a single host Advantage: better visibility into behavior of individual applications running on the host Network-based IDS Often placed on a router or firewall Monitor traffic, examine packet headers and payloads Advantage: can protect many hosts

Problem Prevalent security problems Abnormal behavior: Buffer Overflows Current Methodology Define a model of the normal behavior of a program Raise an alarm if the program behaves abnormally The Problem False alarm rate is high!!!

Motivation System Call Interposition Observation: all sensitive system resources are accessed via OS system call interface Files, Network, etc. Idea: Monitor all system calls and block those that violate security policy

Model Creation Training-based: Use machine learning and data mining techniques Log system activities for a while, then train IDS to recognize normal and abnormal patterns Easy but may miss some of the behavior Static analysis: Extracted the model from source or binary NO false positives!!!

A Trivial Model Create a set of system calls that the application can ever make If a system call outside the set is executed, terminate the application Pros: easy to implement Cons: miss many attacks & too coarse-grained

Callgraph Model Build a control flow graph of the program by static analysis of its source or binary code Result: non-deterministic finite-state automaton (NDFA) over the set of system calls Each vertex executes at most one system call Edges are system calls or empty transitions Implicit transition to special Wrong state for all system calls other than the ones in original code All other states are accepting

Callgraph Example Entry(g) Entry point open() v close() w exit() getuid() Entry(f) Exit(f) geteuid() Function call site is split into two nodes Exit(g) Epsilon edges

Imprecision in Callgraph The return address in f can be overridden. Valid Path Impossible Path. Yet the model will not be able to detect it since all transitions are valid.

NDFA: Model Tradeoffs A good model should be Accurate: closely models expected execution Need context sensitivity! Fast: runtime verification is cheap Inaccurate Accurate Slow Fast NDFA

Abstract Stack Model NDFA is not precise, loses stack information Alternative: model application as a context-free language over the set of system calls Build non-deterministic pushdown automaton (NDPDA) Each symbol on the NDPDA stack corresponds to single stack frame in the actual call stack All valid call sequences accepted by NDPDA; enter Wrong state when an impossible call is made

NDPDA Example

Solve Impossible Path Consider the previous example of an impossible path. The Abstract Stack model will detect the attack since it stores stack information. When returning from state Exit(f), the stack will have the return address v. State v does not have a transition on system call exit() hence the attack will be detected.

NDPDA: Model Tradeoffs Non-deterministic PDA has high cost Forward reachability algorithm is cubic in automaton size Unusable for online checking Slow Fast Inaccurate NDNFA Accurate NDPDA

Digraph Model Combines some of the advantages of the callgraph model in a simpler formulation Model consists of a list of possible k-sequences of consecutive system calls (k=2 for simplicity) Monitor the application by checking the executed system calls vs. a precomputed list of the allowed k-sequences +: much more efficient than NDFA & NDPDA -: less precise than NDFA & NDPDA

Implementation Issues Non-standard control Function pointers Signals Add extra edge to each handler + pre-/post-guard Setjmp() Modify stack, not suitable for NDPDA Extend runtime monitor to handle Other modeling challenges Libraries Dynamic linking Threads

Optimizations Irrelevant systems calls Not monitoring harmless but frequently executed system calls such as brk() System call arguments Monitoring the arguments at runtime improves both precision and performance

Evaluation: Performance

Evaluation: Precision Precision of each of the models, as characterized by the average branching factor. Small numbers represent better precision.

Unsolved Issues Mimicry Attack Require high precision model to detect (poor performance) Runtime Overhead Use more advanced static analysis to get more precise models Later work such as VtPath, Dyck and VPStatic try to solve this problem

Backup

Push-down automata As in FSA, PDA have a set of states and a transition function. They differ from FSA by also having a stack. They accept context-free languages. At every transition, a symbol can be pushed or popped from the stack. They can accept either by state or by stack (if stack is empty), which are equivalent in terms of computational power. PDA is stronger than FSA. It can accept regular languages and also some irregular ones such as 0 n 1 n. push 0 pop 0 0 1 1 Start End Stack Once you see a 1, switch to the End state. The stack contains as many 0 as seen in the input. If the stack is empty at the end of the input, accept.

Dyck Model Idea: make stack updates (i.e., function calls) explicit symbols in the automaton alphabet Result: stack-deterministic PDA [Giffin et al.] At each moment, the monitor knows where the monitored application is in its call stack Only one valid stack configuration at any given time How does monitor learn about function calls? Use binary rewriting to instrument the code to issue special null system calls to notify the monitor Potential high cost of introducing many new system calls Can t rely on instrumentation if application is corrupted

System Call Processing Complexity Model NFA Time & Space Complexity O(n) PDA O(nm 2 ) Dyck O(n) n is state count m is transition count slide 26

Reference cseweb.ucsd.edu/classes/sp02/cse231/ eugene.ppt www.cs.utexas.edu/~shmat/courses/ cs380s_fall09/08hostids.ppt Moss.csc.ncsu.edu/~mueller/seminar/spring05/ sezer.ppt

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information