Paper Appeared at RAID 2005
Posted 09 September 2005
The paper Environment-Sensitive Intrusion Detection by
Jonathon T. Giffin (pictured at left), Somesh Jha
(pictured at center), Barton P. Miller (pictured at right), David
Dagon, and Wenke Lee appeared at the Eighth International Conference
on Recent Advances in Intrusion Detection (RAID). The conference was
held September 7–9 in Seattle, Washington. Jon presented the
paper at the conference.
The authors performed host-based intrusion detection by constructing a model from a program's binary code and then restricting the program's execution by the model. They improved the effectiveness of such model-based intrusion detection systems by incorporating into the model knowledge of the environment in which the program runs, and by increasing the accuracy of their models with a new data-flow analysis algorithm for context-sensitive recovery of static data.
The environment—configuration files, command-line parameters, and environment variables—constrains acceptable process execution. Environment dependencies added to a program model update the model to the current environment at every program execution.
Their new static data-flow analysis associates a program's data flows with specific calling contexts that use the data. They use this analysis to differentiate system-call arguments flowing from distinct call sites in the program.
Using a new average reachability measure suitable for evaluation of call-stack-based program models, the authors demonstrated that their techniques improved the precision of several test programs' models from 76% to 100%.
