Efficient context-sensitive intrusion detection

Jonathon T. Giffin, Somesh Jha, and Barton P. Miller.

In 11th Network and Distributed System Security Symposium (NDSS).

San Diego, California, February 2004.

Model-based intrusion detection compares a process's execution against a program model to detect intrusion attempts. Models constructed from static program analysis have historically traded precision for efficiency. We address this problem with our Dyck model, the first efficient statically-constructed context-sensitive model. This model specifies both the correct sequences of system calls that a program can generate and the stack changes occurring at function call sites. Experiments demonstrate that the Dyck model is an order of magnitude more precise than a context-insensitive finite state machine model. With null call squelching, a dynamic technique to bound cost, the Dyck model operates in time similar to the context-insensitive model.

We also present two static analysis techniques designed to counter mimicry and evasion attacks. Our branch analysis identifies between 32% and 64% of our test programs' system call sites as affecting control flow via their return values. Interprocedural argument capture of general values recovers 32% to 69% more arguments than previously reported techniques.

Paper: [pdf] [ps]
Slides: [ppt] [pdf]

This page updated April 20, 2006.