The design and implementation of the 4.4BSD operating system
The design and implementation of the 4.4BSD operating system
Towards a taxonomy of intrusion-detection systems
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on computer network security
Remus: a security-enhanced operating system
ACM Transactions on Information and System Security (TISSEC)
Implementing a Generalized Tool for Network Monitoring
LISA '97 Proceedings of the 11th Conference on Systems Administration
Using CQUAL for Static Analysis of Authorization Hook Placement
Proceedings of the 11th USENIX Security Symposium
Using Programmer-Written Compiler Extensions to Catch Security Holes
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
IRM Enforcement of Java Stack Inspection
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Janus: an Approach for Confinement of Untrusted Applications
Janus: an Approach for Confinement of Untrusted Applications
SubDomain: Parsimonious Server Security
LISA '00 Proceedings of the 14th USENIX conference on System administration
Detecting and countering system intrusions using software wrappers
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Synthesizing fast intrusion prevention/detection systems from high-level specifications
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Enabling trusted software integrity
Proceedings of the 10th international conference on Architectural support for programming languages and operating systems
ANSS '06 Proceedings of the 39th annual Symposium on Simulation
Analyzing and evaluating dynamics in stide performance for intrusion detection
Knowledge-Based Systems
Immuno-inspired autonomic system for cyber defense
Information Security Tech. Report
Using static analysis for Ajax intrusion detection
Proceedings of the 18th international conference on World wide web
Impact of IT monoculture on behavioral end host intrusion detection
Proceedings of the 1st ACM workshop on Research on enterprise networking
Enforcement of integrated security policy in trusted operating systems
IWSEC'07 Proceedings of the Security 2nd international conference on Advances in information and computer security
On run-time enforcement of policies
ASIAN'07 Proceedings of the 12th Asian computing science conference on Advances in computer science: computer and network security
A Framework for Large-Scale Detection of Web Site Defacements
ACM Transactions on Internet Technology (TOIT)
Security policy implementation using connection and event log to achieve network access control
ACAI '11 Proceedings of the International Conference on Advances in Computing and Artificial Intelligence
Design and implementation of an extended reference monitor for trusted operating systems
ISPEC'06 Proceedings of the Second international conference on Information Security Practice and Experience
Model generalization and its implications on intrusion detection
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
Enforcing the principle of least privilege with a state-based privilege control model
ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience
Mathematical and Computer Modelling: An International Journal
STING: finding name resolution vulnerabilities in programs
Security'12 Proceedings of the 21st USENIX conference on Security symposium
International Journal of Information Security and Privacy
A taint marking approach to confidentiality violation detection
AISC '12 Proceedings of the Tenth Australasian Information Security Conference - Volume 125
On effective sampling techniques in host-based intrusion detection in tactical MANET
International Journal of Security and Networks
| Hi-index | 0.00 |
Detecting attacks against systems has, in practice, largely been delegated to sensors, such as network intrustion detection systems. However, due to the inherent limitations of these systems and the increasing use of encryption in communication, intrusion detection and prevention have once again moved back to the host systems themselves. In this paper, we describe our experiences with building BlueBox, a host-based intrusion detection system. Our approach, based on the technique of system call introspection, can be viewed as creating an infrastructure for defining and enforcing very fine-grained process capabilities in the kernel. These capabilities are specified as a set of rules (policies) for regulating access to system resources on a per executable basis. The language for expressing the rules is intuitive and sufficiently expressive to effectively capture security boundaries.We have prototyped our approach on Linux operating system kernel and have built rule templates for popular daemons such as Apache and wu-ftpd. Our design has been validated by testing against a comprehensive database of known attacks. Our system has been designed to minimize the kernel changes and performance impact and thus can be ported easily to new kernels. We describe the motivation and rationale behind BlueBox, its design, implementation on Linux, and how it relates to prior work on detecting and preventing intrusions on host systems.