Article

Synthesizing fast intrusion prevention/detection systems from high-level specifications

Authors:

P. UppuluriAuthors Info & Claims

SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium - Volume 8

Page 6

Published: 23 August 1999 Publication History

Abstract

To build survivable information systems (i.e., systems that continue to provide their services in spite of coordinated attacks), it is necessary to detect and isolate intrusions before they impact system performance or functionality. Previous research in this area has focussed primarily on detecting intrusions after the fact, rather than preventing them in the first place. We have developed a new approach based on specifying intended program behaviors using patterns over sequences of system calls. The patterns can also capture conditions on the values of system-call arguments. At runtime, we intercept the system calls made by processes, compare them against specifications, and disallow (or otherwise modify) those calls that deviate from specifications. Since our approach is capable of modifying a system call before it is delivered to the operating system kernel, it is capable of reacting before any damage-causing system call is executed by a process under attack. We present our specification language and illustrate its use by developing a specification for the ftp server. Observe that in our approach, every system call is intercepted and subject to potentially expensive operations for matching against many patterns that specify normal/abnormal behavior. Thus, minimizing the overheads incurred for pattern-matching is critical for the viability of our approach. We solve this problem by developing a new, low-overhead algorithm for matching runtime behaviors against specifications. A salient feature of our algorithm is that its runtime is almost independent of the number of patterns. In most cases, it uses a constant amount of time per system call intercepted, and uses a constant amount of storage, both independent of either the size or number of patterns. These benefits make our algorithm useful for many other intrusion detection methods that employ pattern-matching. We describe our algorithm, and evaluate its performance through experiments.

References

[1]

{Aho90} A.V. Aho, Algorithms for Finding Patterns in Strings, Handbook of Theoretical Computer Science Vol A, Elsevier Science Publishers B.V., 1990.]]

Digital Library

[2]

{AWK88} A.V. Aho, B.W. Kernighan, and P.J. Weinberger, The AWK Programming Language, Addison-Wesley, Reading, MA, 1988.]]

Digital Library

[3]

{ALJTV95} D. Anderson, T. Lunt, H. Javitz, A. Tamaru, and A. Valdes, Next-generation Intrusion Detection Expert System (NIDES): A Summary, SRI-CSL-95-07, SRI International, 1995.]]

[4]

{BCG87} G. Berry, P. Couronne and G. Gonthier, Synchronous Programming of Reactive Systems: An Introduction to Esterel, Technical Report 647, INRIA, Paris, 1987.]]

[5]

{BD96} M. Bishop, M. Dilger, Checking for Race Conditions in File Access. Computing Systems 9(2), 1996, pp. 131-152.]]

[6]

{BB89} T. Bolognesi and E. Brinksma, Introduction to the ISO Specification Language LOTOS, The Formal Description Technique LOTOS. Amsterdam: North-Holland, 1989.]]

[7]

{Bow99} T. Bowen et al, Operating System Support for Application-Specific Security, under review for Symposium on Operating Systems Principles, 1999.]]

[8]

{CERT} CERT Coordination Center Advisories 1988-1998, http://www.cert.org/advisories/index.html.]]

[9]

{CPMWBBGWZ98} C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle and Q. Zhang, StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, 7th USENIX Security Symposium, 1998.]]

Digital Library

[10]

{Denning87} D. Denning, An Intrusion Detection Model, IEEE Trans. on Software Engineering, Feb 1987.]]

Digital Library

[11]

{FHS97} S. Forrest, S. Hofmeyr and A. Somayaji, Computer Immunology, Comm. of ACM 40(10), 1997.]]

Digital Library

[12]

{FHRS90} K. Fox, R. Henning, J. Reed and R. Simonian, A Neural Network Approach Towards Intrusion Detection, National Computer Security Conference, 1990.]]

[13]

{FBF99} T. Fraser, L. Badger, M. Feldman, Hardening COTS software with Generic Software Wrappers, IEEE Symposium on Security and Privacy, 1999.]]

[14]

{GPRA98} D. Ghormley, D. Petrou, S. Rodrigues, and T. Anderson, SLIC: An Extensibility System for Commodity Operating Systems, USENIX Annual Technical Conference, 1998.]]

Digital Library

[15]

{GM96} B. Guha and B. Mukherjee, Network Security via Reverse Engineering of TCP Code: Vulnerability Analysis and Proposed Solutions, Proc. of the IEEE Infocom, March 1996.]]

[16]

{GSS99} A.K. Ghosh, A. Schwartzbard and M. Schatz, Learning Program Behavior Profiles for Intrusion Detection, 1st USENIX Workshop on Intrusion Detection and Network Monitoring, 1999.]]

Digital Library

[17]

{GWTB96} I. Goldberg, D. Wagner, R. Thomas, and E. Brewer, A Secure Environment for Untrusted Helper Applications, USENIX Security Symposium, 1996.]]

Digital Library

[18]

{Hoare78} C. Hoare, Communicating Sequential Processes, Comm. of the ACM, 21(8), 1978.]]

Digital Library

[19]

{Jones93} M. Jones, Interposition Agents: Transparently Interposing User Code at the System Interface, 14th ACM Symposium on Operating Systems Principles, December 1993.]]

Digital Library

[20]

{Ko96} C. Ko, Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach, Ph.D. Thesis, Dept. Computer Science, University of California at Davis, 1996.]]

[21]

{Kumar95} S. Kumar, Classification and Detection of Computer Intrusions, Ph.D Dissertation, Department of Computer Science, Purdue University, 1995.]]

Digital Library

[22]

{Kurshan94} R. Kurshan, Computer Aided Verification of Coordinating Processes: The Automata-Theoretic Approach, Princeton University Press, Princeton, NJ, 1994.]]

Digital Library

[23]

{LLO95} R.W. Lo, K.N. Levitt, R.A. Olsson, MCF: a Malicious Code Filter, Computers and Security, Vol.14, No.6, 1995.]]

[24]

{LV95} D. Luckham and J. Vera, An Event-Based Architecture Definition Language, IEEE Transactions on Software Engineering, 21(9), 1995.]]

Digital Library

[25]

{LHMBH87} D. Luckham, D. Helmbold, S. Meldal, D. Bryan, and M. Haberler, Task Sequencing Language for Specifying Distributed Ada Systems: TSL-1, PARLE: Conf. on Parallel Architectures and Languages, LNCS 259-2, 1987.]]

Digital Library

[26]

{Lunt92} T. Lunt et al, A Real-Time Intrusion Detection Expert System (IDES) - Final Report, SRI-CSL-92-05, SRI International, 1992.]]

[27]

{MY60} R. McNaughton and H. Yamada, Regular expressions and state graphs for automata, IRE Trans. on Electronic Comput., EC-9(1), 1960.]]

[28]

{MLO97} T. Mitchem, R. Lu, R. O'Brien, Using Kernel Hypervisors to Secure Applications, Annual Computer Security Application Conference, December 1997.]]

[29]

{OO90} K. Olender and L. Osterweil, Cecil: A Sequencing Constraint Language for Automatic Static Analysis Generation, IEEE Transactions on Software Engineering, 16(3), 1990.]]

Digital Library

[30]

{PK92} P. Porras and R. Kemmerer, Penetration State Transition Analysis:A Rule based Intrusion Detection Approach, Eighth Annual Computer Security Applications Conference, 1992.]]

[31]

{Schneider98} F. Schneider, Enforceable Security Policies, TR 98-1664, Department of Computer Science, Cornell University, Ithaca, NY, 1998.]]

Digital Library

[32]

{SCS98} R. Sekar, Y. Cai and M. Segal, A Specification-Based Approach for Building Survivable Systems, NISSC, October 1998.]]

[33]

{SBS99} R. Sekar, T. Bowen and M. Segal, On Preventing Intrusions by Process Behavior Monitoring, USENIX Intrusion Detection Workshop, 1999.]]

Digital Library

[34]

{SU99} R. Sekar and P. Uppuluri, Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications, Technical Report 99-03, Department of Computer Science, Iowa State University, Ames, IA 50014.]]

Cited By

Lee YYoo SKim JLee S(2011)Specification-based intrusion detection system for WiBroProceedings of the 5th international conference on Convergence and hybrid information technology10.5555/2045005.2045066(445-455)Online publication date: 22-Sep-2011
https://dl.acm.org/doi/10.5555/2045005.2045066
Fredrikson MChristodorescu MJha S(2011)Dynamic behavior matchingProceedings of the 23rd international conference on Automated deduction10.5555/2032266.2032286(252-267)Online publication date: 31-Jul-2011
https://dl.acm.org/doi/10.5555/2032266.2032286
Benzina HGoubault-Larrecq J(2010)Some ideas on virtualized system security, and monitorsProceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security10.5555/1964419.1964440(244-258)Online publication date: 23-Sep-2010
https://dl.acm.org/doi/10.5555/1964419.1964440
Show More Cited By

Index Terms

Synthesizing fast intrusion prevention/detection systems from high-level specifications

Recommendations

A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Overview of intrusion detection and intrusion prevention
InfoSecCD '08: Proceedings of the 5th annual conference on Information security curriculum development

This report provides an overview of IPS systems. In the first section a comparison of IDS and IPS is made, where an IPS system is defined as an integration of IDS and a firewall. The second section describes what is needed to set up an IPS system. In ...
Dismantling intrusion prevention systems
SIGCOMM '12: Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication

This paper introduces a serious security problem that people believe has been fixed, but which is still very much existing and evolving, namely evasions. We describe how protocols can still be misused to fool network security devices, such as intrusion ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'99: Proceedings of the 8th conference on USENIX Security Symposium - Volume 8

August 1999

248 pages

Publisher

USENIX Association

United States

Publication History

Published: 23 August 1999

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
16
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lee YYoo SKim JLee S(2011)Specification-based intrusion detection system for WiBroProceedings of the 5th international conference on Convergence and hybrid information technology10.5555/2045005.2045066(445-455)Online publication date: 22-Sep-2011
https://dl.acm.org/doi/10.5555/2045005.2045066
Fredrikson MChristodorescu MJha S(2011)Dynamic behavior matchingProceedings of the 23rd international conference on Automated deduction10.5555/2032266.2032286(252-267)Online publication date: 31-Jul-2011
https://dl.acm.org/doi/10.5555/2032266.2032286
Benzina HGoubault-Larrecq J(2010)Some ideas on virtualized system security, and monitorsProceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security10.5555/1964419.1964440(244-258)Online publication date: 23-Sep-2010
https://dl.acm.org/doi/10.5555/1964419.1964440
Liang ZSun WVenkatakrishnan VSekar R(2009)AlcatrazACM Transactions on Information and System Security10.1145/1455526.145552712:3(1-37)Online publication date: 1-Jan-2009
https://dl.acm.org/doi/10.1145/1455526.1455527
Baiardi FMaggiari DSgandurra DTamberi F(2009)Transparent Process Monitoring in a Virtual EnvironmentElectronic Notes in Theoretical Computer Science (ENTCS)10.1016/j.entcs.2009.03.016236(85-100)Online publication date: 1-Apr-2009
https://dl.acm.org/doi/10.1016/j.entcs.2009.03.016
Brown ARyan M(2008)Synthesising monitors from high-level policies for the safe execution of untrusted softwareProceedings of the 4th international conference on Information security practice and experience10.5555/1788494.1788511(233-247)Online publication date: 21-Apr-2008
https://dl.acm.org/doi/10.5555/1788494.1788511
Goel AFarhadi KPo KFeng W(2008)Reconstructing system state for intrusion analysisACM SIGOPS Operating Systems Review10.1145/1368506.136851142:3(21-28)Online publication date: 1-Apr-2008
https://dl.acm.org/doi/10.1145/1368506.1368511
Parampalli CSekar RJohnson RAbe MGligor V(2008)A practical mimicry attack against powerful system-call monitorsProceedings of the 2008 ACM symposium on Information, computer and communications security10.1145/1368310.1368334(156-167)Online publication date: 18-Mar-2008
https://dl.acm.org/doi/10.1145/1368310.1368334
Smith REstan CJha SSiahaan I(2008)Fast Signature Matching Using Extended Finite Automaton (XFA)Proceedings of the 4th International Conference on Information Systems Security10.1007/978-3-540-89862-7_15(158-172)Online publication date: 16-Dec-2008
https://dl.acm.org/doi/10.1007/978-3-540-89862-7_15
Goel AFeng WFeng WMaier D(2007)Automatic high-performance reconstruction and recoveryComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2006.09.01351:5(1361-1377)Online publication date: 1-Apr-2007
https://dl.acm.org/doi/10.1016/j.comnet.2006.09.013
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents