Environment-Sensitive Intrusion Detection

9 years 8 months ago
Environment-Sensitive Intrusion Detection
We perform host-based intrusion detection by constructing a model from a program’s binary code and then restricting the program’s execution by the model. We improve the effectiveness of such model-based intrusion detection systems by incorporating into the model knowledge of the environment in which the program runs, and by increasing the accuracy of our models with a new dataflow analysis algorithm for context-sensitive recovery of static data. The environment—configuration files, command-line parameters, and environment variables—constrains acceptable process execution. Environment dependencies added to a program model update the model to the current environment at every program execution. Our new static data-flow analysis associates a program’s data flows with specific calling contexts that use the data. We use this analysis to differentiate systemcall arguments flowing from distinct call sites in the program. Using a new average reachability measure suitable for ev...
Jonathon T. Giffin, David Dagon, Somesh Jha, Wenke
Added 28 Jun 2010
Updated 28 Jun 2010
Type Conference
Year 2005
Where RAID
Authors Jonathon T. Giffin, David Dagon, Somesh Jha, Wenke Lee, Barton P. Miller
Comments (0)