Intrusion detection systems alert the system administrators of intrusions but, in most cases, do not provide details about which system events are relevant to the intrusion and how the system events are related. We consider intrusions of file systems. Existing tools, like BackTracker, help the system administrator backtrack from the detection point, which is a file with suspicious contents, to possible entry points of the intrusion by providing a graph containing dependency information between the various files and processes that could be related to the detection point. We improve such backtracking techniques by logging certain additional parameters of the file system during normal operations (real-time) and examining the logged information during the analysis phase. In addition, we use dataflow analysis within the processes related to the intrusion to prune unwanted paths from the dependency graph. This results in significant reduction in search space, search time, and false positives. We also analyze the effort required in terms of storage space and search time.
{"title":"Forensic analysis of file system intrusions using improved backtracking","authors":"S. Sitaraman, S. Venkatesan","doi":"10.1109/IWIA.2005.9","DOIUrl":"https://doi.org/10.1109/IWIA.2005.9","url":null,"abstract":"Intrusion detection systems alert the system administrators of intrusions but, in most cases, do not provide details about which system events are relevant to the intrusion and how the system events are related. We consider intrusions of file systems. Existing tools, like BackTracker, help the system administrator backtrack from the detection point, which is a file with suspicious contents, to possible entry points of the intrusion by providing a graph containing dependency information between the various files and processes that could be related to the detection point. We improve such backtracking techniques by logging certain additional parameters of the file system during normal operations (real-time) and examining the logged information during the analysis phase. In addition, we use dataflow analysis within the processes related to the intrusion to prune unwanted paths from the dependency graph. This results in significant reduction in search space, search time, and false positives. We also analyze the effort required in terms of storage space and search time.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"362 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115953271","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Anomaly detection based on monitoring of sequences of system calls has been shown to be an effective method for detection of previously unseen, potentially damaging attacks on hosts. This paper presents a new model for profiling normal program behavior for use in detection of intrusions that change application execution flow. This model is compact and efficient to operate and can be acquired using a combination of static analysis and dynamic learning. Our model (hybrid push down automata, HPDA) incorporates call stack information in the automata model and effectively captures the control flow of a program. Several important properties of the model are based on a unique correspondence relation between addresses and instructions within the model. These properties allow the HPDA to be acquired by dynamic analysis of an audit of the call stack log. Our strategy is to use static analysis to acquire a base model and then to use dynamic learning as a supplement to capture those aspects of behavior that are difficult to capture with static analysis due to techniques commonly used in modern programming environments. The model created by this combination method is shown to have a higher detection capability than models acquired by static analysis alone and a lower false positive rate than models acquired by dynamic learning alone.
{"title":"Combining static analysis and dynamic learning to build accurate intrusion detection models","authors":"Z. Liu, S. Bridges, R. Vaughn","doi":"10.1109/IWIA.2005.6","DOIUrl":"https://doi.org/10.1109/IWIA.2005.6","url":null,"abstract":"Anomaly detection based on monitoring of sequences of system calls has been shown to be an effective method for detection of previously unseen, potentially damaging attacks on hosts. This paper presents a new model for profiling normal program behavior for use in detection of intrusions that change application execution flow. This model is compact and efficient to operate and can be acquired using a combination of static analysis and dynamic learning. Our model (hybrid push down automata, HPDA) incorporates call stack information in the automata model and effectively captures the control flow of a program. Several important properties of the model are based on a unique correspondence relation between addresses and instructions within the model. These properties allow the HPDA to be acquired by dynamic analysis of an audit of the call stack log. Our strategy is to use static analysis to acquire a base model and then to use dynamic learning as a supplement to capture those aspects of behavior that are difficult to capture with static analysis due to techniques commonly used in modern programming environments. The model created by this combination method is shown to have a higher detection capability than models acquired by static analysis alone and a lower false positive rate than models acquired by dynamic learning alone.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"201 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116402480","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper takes the stance that the kernel is responsible for preventing user processes from interfering with each other, and the overall secure operation of the system. Part of ensuring overall secure operation of the computer is preventing buffers in memory from having too much data written to them, overflowing them. This paper presents a technique for obtaining the writable bounds of any memory address. A new system call for obtaining these bounds, ptrbounds, is described that implements this technique. The system call was implemented in the Linux 2.4 kernel and can be used to detect most buffer overflow situations. Once an overflow has been detected it can be dealt with in a number of ways, including to limit the amount of information written to the buffer. Also, a method for accurately tracking the allocation of memory on the stack is proposed to enhance the accuracy of the technique. The intended use of ptrbounds is to provide programmers with a method for checking the bounds of pointers before writing data, and to automatically check the bounds of pointers passed to the kernel.
{"title":"Making the kernel responsible: a new approach to detecting & preventing buffer overflows","authors":"William R. Speirs","doi":"10.1109/IWIA.2005.10","DOIUrl":"https://doi.org/10.1109/IWIA.2005.10","url":null,"abstract":"This paper takes the stance that the kernel is responsible for preventing user processes from interfering with each other, and the overall secure operation of the system. Part of ensuring overall secure operation of the computer is preventing buffers in memory from having too much data written to them, overflowing them. This paper presents a technique for obtaining the writable bounds of any memory address. A new system call for obtaining these bounds, ptrbounds, is described that implements this technique. The system call was implemented in the Linux 2.4 kernel and can be used to detect most buffer overflow situations. Once an overflow has been detected it can be dealt with in a number of ways, including to limit the amount of information written to the buffer. Also, a method for accurately tracking the allocation of memory on the stack is proposed to enhance the accuracy of the technique. The intended use of ptrbounds is to provide programmers with a method for checking the bounds of pointers before writing data, and to automatically check the bounds of pointers passed to the kernel.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"116 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132390671","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Visualization of IP-based traffic dynamics on networks is a challenging task due to large data volume and the complex, temporal relationships between hosts. We present the architecture of VisFlowConnect-IP, a powerful new tool to visualize IP network traffic flow dynamics for security situational awareness. VisFlowConnect-IP allows an operator to visually assess the connectivity of large and complex networks on a single screen. It provides an overall view of the entire network and filter/drill-down features that allow operators to request more detailed information. Preliminary reports from several organizations using this tool report increased responsiveness to security events as well as new insights into understanding the security dynamics of their networks. In this paper we focus specifically on the design decisions made during the VisFlowConnect development process so that others may learn from our experience. The current VisFlowConnect architecture - the result of these design decisions - is extensible to processing other high-volume multi-dimensional data streams where link connectivity/activity is a focus of study. We report experimental results quantifying the scalability of the underlying algorithms for representing link analysis given continuous high-volume traffic flows as input.
{"title":"The design of VisFlowConnect-IP: a link analysis system for IP security situational awareness","authors":"Xiaoxin Yin, W. Yurcik, A. Slagell","doi":"10.1109/IWIA.2005.17","DOIUrl":"https://doi.org/10.1109/IWIA.2005.17","url":null,"abstract":"Visualization of IP-based traffic dynamics on networks is a challenging task due to large data volume and the complex, temporal relationships between hosts. We present the architecture of VisFlowConnect-IP, a powerful new tool to visualize IP network traffic flow dynamics for security situational awareness. VisFlowConnect-IP allows an operator to visually assess the connectivity of large and complex networks on a single screen. It provides an overall view of the entire network and filter/drill-down features that allow operators to request more detailed information. Preliminary reports from several organizations using this tool report increased responsiveness to security events as well as new insights into understanding the security dynamics of their networks. In this paper we focus specifically on the design decisions made during the VisFlowConnect development process so that others may learn from our experience. The current VisFlowConnect architecture - the result of these design decisions - is extensible to processing other high-volume multi-dimensional data streams where link connectivity/activity is a focus of study. We report experimental results quantifying the scalability of the underlying algorithms for representing link analysis given continuous high-volume traffic flows as input.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122233712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: