IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Cecil: A Sequencing Constraint Language for Automatic Static Analysis Generation
IEEE Transactions on Software Engineering
Interposition agents: transparently interposing user code at the system interface
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
Computer-aided verification of coordinating processes: the automata-theoretic approach
Computer-aided verification of coordinating processes: the automata-theoretic approach
Classification and detection of computer intrusions
Classification and detection of computer intrusions
Communications of the ACM
Communicating sequential processes
Communications of the ACM
An Event-Based Architecture Definition Language
IEEE Transactions on Software Engineering
Learning Program Behavior Profiles for Intrusion Detection
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Enforceable Security Policies
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A secure environment for untrusted helper applications confining the Wily Hacker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
SLIC: an extensibility system for commodity operating systems
ATEC '98 Proceedings of the annual conference on USENIX Annual Technical Conference
Network security via reverse engineering of TCP code: vulnerability analysis and proposed solutions
INFOCOM'96 Proceedings of the Fifteenth annual joint conference of the IEEE computer and communications societies conference on The conference on computer communications - Volume 2
A high-performance network intrusion detection system
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Model-Carrying Code (MCC): a new paradigm for mobile-code security
Proceedings of the 2001 workshop on New security paradigms
AngeL: a tool to disarm computer systems
Proceedings of the 2001 workshop on New security paradigms
Specification-based anomaly detection: a new approach for detecting network intrusions
Proceedings of the 9th ACM conference on Computer and communications security
STATL: an attack language for state-based intrusion detection
Journal of Computer Security
Panoptis: intrusion detection using a domain-specific language
Journal of Computer Security
Enabling trusted software integrity
Proceedings of the 10th international conference on Architectural support for programming languages and operating systems
Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Experiences with Specification-Based Intrusion Detection
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
BlueBoX: A policy-driven, host-based intrusion detection system
ACM Transactions on Information and System Security (TISSEC)
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
Empowering mobile code using expressive security policies
Proceedings of the 2002 workshop on New security paradigms
RAD: A Compile-Time Solution to Buffer Overflow Attacks
ICDCS '01 Proceedings of the The 21st International Conference on Distributed Computing Systems
Model-carrying code: a practical approach for safe execution of untrusted applications
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Enhancing byte-level network intrusion detection signatures with context
Proceedings of the 10th ACM conference on Computer and communications security
Security check: a formal yet practical framework for secure software architecture
Proceedings of the 2003 workshop on New security paradigms
Parametric regular path queries
Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
A Hardware-Software Platform for Intrusion Prevention
Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
An Approach for Secure Software Installation
LISA '02 Proceedings of the 16th USENIX conference on System administration
Preventing race condition attacks on file-systems
Proceedings of the 2005 ACM symposium on Applied computing
A testing framework for Web application security assessment
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
System Call Monitoring Using Authenticated System Calls
IEEE Transactions on Dependable and Secure Computing
Automatic high-performance reconstruction and recovery
Computer Networks: The International Journal of Computer and Telecommunications Networking
Detecting and countering system intrusions using software wrappers
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Privtrans: automatically partitioning programs for privilege separation
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
A practical mimicry attack against powerful system-call monitors
Proceedings of the 2008 ACM symposium on Information, computer and communications security
Reconstructing system state for intrusion analysis
ACM SIGOPS Operating Systems Review
Intrusion Detection as Passive Testing: Linguistic Support with TTCN-3 (Extended Abstract)
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Alcatraz: An Isolated Environment for Experimenting with Untrusted Software
ACM Transactions on Information and System Security (TISSEC)
Fast Signature Matching Using Extended Finite Automaton (XFA)
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Transparent Process Monitoring in a Virtual Environment
Electronic Notes in Theoretical Computer Science (ENTCS)
A testing framework for Web application security assessment
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Synthesising monitors from high-level policies for the safe execution of untrusted software
ISPEC'08 Proceedings of the 4th international conference on Information security practice and experience
Some ideas on virtualized system security, and monitors
DPM'10/SETOP'10 Proceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security
Dynamic behavior matching: a complexity analysis and new approximation algorithms
CADE'11 Proceedings of the 23rd international conference on Automated deduction
Specification-based intrusion detection system for WiBro
ICHIT'11 Proceedings of the 5th international conference on Convergence and hybrid information technology
A new network anomaly detection technique based on per-flow and per-service statistics
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
SoIDPS: sensor objects-based intrusion detection and prevention system and its implementation
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
PADL'06 Proceedings of the 8th international conference on Practical Aspects of Declarative Languages
ICDCIT'04 Proceedings of the First international conference on Distributed Computing and Internet Technology
D_DIPS: an intrusion prevention system for database security
ICICS'05 Proceedings of the 7th international conference on Information and Communications Security
Hi-index | 0.00 |
To build survivable information systems (i.e., systems that continue to provide their services in spite of coordinated attacks), it is necessary to detect and isolate intrusions before they impact system performance or functionality. Previous research in this area has focussed primarily on detecting intrusions after the fact, rather than preventing them in the first place. We have developed a new approach based on specifying intended program behaviors using patterns over sequences of system calls. The patterns can also capture conditions on the values of system-call arguments. At runtime, we intercept the system calls made by processes, compare them against specifications, and disallow (or otherwise modify) those calls that deviate from specifications. Since our approach is capable of modifying a system call before it is delivered to the operating system kernel, it is capable of reacting before any damage-causing system call is executed by a process under attack. We present our specification language and illustrate its use by developing a specification for the ftp server. Observe that in our approach, every system call is intercepted and subject to potentially expensive operations for matching against many patterns that specify normal/abnormal behavior. Thus, minimizing the overheads incurred for pattern-matching is critical for the viability of our approach. We solve this problem by developing a new, low-overhead algorithm for matching runtime behaviors against specifications. A salient feature of our algorithm is that its runtime is almost independent of the number of patterns. In most cases, it uses a constant amount of time per system call intercepted, and uses a constant amount of storage, both independent of either the size or number of patterns. These benefits make our algorithm useful for many other intrusion detection methods that employ pattern-matching. We describe our algorithm, and evaluate its performance through experiments.