Environment-Sensitive Intrusion Detection
Abstract
We perform host-based intrusion detection by constructing a model from a program s binary code and then restricting the program s execution by the model. We improve the effectiveness of such model-based intrusion detection systems by incorporating into the model knowledge of the environment in which the program runs, and by increasing the accuracy of our models with a new data- flow analysis algorithm for context-sensitive recovery of static data. The environment configuration files, command-line parameters, and environment variables constrains acceptable process execution. Environment dependencies added to a program model update the model to the current environment at every program execution. Our new static data-flow analysis associates a program s data flows with specific calling contexts that use the data. We use this analysis to differentiate system call arguments flowing from distinct call sites in the program. Using a new average reachability measure suitable for evaluation of call-stackbased program models, we demonstrate that our techniques improve the precision of several test programs models from 76% to 100%.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jan 01, 2006
- Accession Number
- ADA448428
Entities
People
- Barton P. Miller
- David Dagon
- Jonathan T. Giffin
- Somesh Jha
- Wenke Lee
Organizations
- University of Wisconsin Madison Department of Computer Science