Introduction to Automata Theory, Languages and Computability
Introduction to Automata Theory, Languages and Computability
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Gray-box extraction of execution graphs for anomaly detection
Proceedings of the 11th ACM conference on Computer and communications security
Efficient Intrusion Detection using Automaton Inlining
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Dynamic monitoring and static analysis: new approaches for intrusion detection
Dynamic monitoring and static analysis: new approaches for intrusion detection
Non-control-data attacks are realistic threats
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Guarded models for intrusion detection
Proceedings of the 2007 workshop on Programming languages and analysis for security
Securing software by enforcing data-flow integrity
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Environment-sensitive intrusion detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hi-index | 0.00 |
Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic's. Thereby, we alleviate the conflict between precision and efficiency.