A taxonomy of computer program security flaws
ACM Computing Surveys (CSUR)
State Transition Analysis: A Rule-Based Intrusion Detection Approach
IEEE Transactions on Software Engineering
On Preventing Intrusions by Process Behavior Monitoring
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Software vulnerability analysis
Software vulnerability analysis
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
A specification-based intrusion detection system for AODV
Proceedings of the 1st ACM workshop on Security of ad hoc and sensor networks
On Optimal Placement of Intrusion Detection Modules in Sensor Networks
BROADNETS '04 Proceedings of the First International Conference on Broadband Networks
Learning unknown attacks - a start
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Applications of configuration information to security
SCM'01/SCM'03 Proceedings of the 2001 ICSE Workshops on SCM 2001, and SCM 2003 conference on Software configuration management
RIDA: robust intrusion detection in ad hoc networks
NETWORKING'05 Proceedings of the 4th IFIP-TC6 international conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communication Systems
FAST'05 Proceedings of the Third international conference on Formal Aspects in Security and Trust
| Hi-index | 0.01 |
This paper presents a new approach to run-time security monitoring that can detect system abnormalities including attacks, faults, or operational errors. The approach, System Health and Intrusion Monitoring (SHIM), employs a hierarchy of constraints to describe correct operation of a system at various levels of abstraction. The constraints capture static behavior, dynamic behavior, and time-critical behavior of a system. A system in execution will be monitored for violation of the constraints, which may indicate potential security problems in the system. SHIM is based on specification-based intrusion detection, but it attempts to provide a systematic framework for developing the specifications/ constraints. SHIM does not detect directly the intrusive actions in an attack, but their manifestations as violations of constraints. In this paper, we describe the constraint model and the methodology for developing the constraints. In addition, we present preliminary results on the constraints developed for host programs and network protocols. By bounding the behavior of various system components at different levels of abstraction, SHIM has a high chance of detecting different types of attacks and their variants.