IEEE Transactions on Software Engineering - Special issue on computer security and privacy
From regular expressions to deterministic automata
Theoretical Computer Science
A survey of intrusion detection techniques
Computers and Security
A taxonomy of computer program security flaws
ACM Computing Surveys (CSUR)
SIAM Journal on Computing
Communications of the ACM
Derivatives of Regular Expressions
Journal of the ACM (JACM)
Intrusion Detection via System Call Traces
IEEE Software
A secure environment for untrusted helper applications confining the Wily Hacker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
A testing framework for Web application security assessment
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
A testing framework for Web application security assessment
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Inoculation against malware infection using kernel-level software sensors
Proceedings of the 8th ACM international conference on Autonomic computing
Web traffic profiling and characterization
Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
Hi-index | 0.00 |
Society's increasing reliance on networked information systems to support critical infrastructures has prompted interest in making the information systems survivable, so that they continue to perform critical functions even in the presence of vulnerabilities susceptible to malicious attacks. To enable vulnerable systems to survive attacks, it is necessary to detect attacks and isolate failures resulting from attacks before they damage the system by impacting functionality, performance or security. The key research problems in this context include: • detecting in-progress attacks before they cause damage, as opposed to detecting attacks after they have succeeded, • localizing and/or minimizing damage by isolating attacked components in real-time, and • tracing the origin of attacks. We address the detection problem by real-time event monitoring and comparison against events known to be unacceptable. Real-time detection differentiates our approach from previous works that focus on intrusion detection by post-attack evidence analysis. We address the isolation and tracing problems by supporting automatic initiation of reactions. Reactions are programs that we develop to respond to attacks. A reaction's primary goal is to isolate compromised components and prevent them from damaging other components. A reaction's secondary goal is to aid in tracing the origin of attack, e.g., by providing an illusion of success to the attackers (enticing them to continue the attack) while ensuring that the attack causes no damage. Our approach to detecting attacks is based on specifying permissible process behaviors as logical assertions on sequences of system calls and conditions on the values of system call arguments. We compile the specifications into finite state automata for efficient runtime detection of deviations from the specified (and hence permissible) behavior. We seamlessly integrate detection and reaction by designing our specification language to also allow specification of reactions.