Computer Sciences Dept.

Computer Security and Cryptography Seminar:
August 2005 Events

Date &
Location
Event
Monday, August 29, 2005
4:00 - 5:00 PM
2310 CS
Jonathon Giffin (web)
Department of Computer Sciences, University of Wisconsin (web)
Environment-Sensitive Intrusion Detection

This is a practice talk for Recent Advances in Intrusion Detection (RAID).

We perform host-based intrusion detection by constructing a model from a program's binary code and then restricting the program's execution by the model. We improve the effectiveness of such model-based intrusion detection systems by incorporating into the model knowledge of the environment in which the program runs, and by increasing the accuracy of our models with a new data-flow analysis algorithm for context-sensitive recovery of static data.

The environment---configuration files, command-line parameters, and environment variables---constrains acceptable process execution. Environment dependencies added to a program model update the model to the current environment at every program execution.

Our new static data-flow analysis associates a program's data flows with specific calling contexts that use the data. We use this analysis to differentiate system-call arguments flowing from distinct call sites in the program.

Using a new average reachability measure suitable for evaluation of callstack-based program models, we demonstrate that our techniques improve the precision of several test programs' models from 76% to 100%.

< Back to the Sec & Crypto seminar schedule

Created and maintained by Mihai Christodorescu (http://www.cs.wisc.edu/~mihai)
Created: Fri Jul 29 11:34:22 2005
Last modified: Fri Jul 29 11:35:25 Central Daylight Time 2005
 
Computer Science | UW Home