{"title":"用于入侵检测的防护模型","authors":"Hassen Saïdi","doi":"10.1145/1255329.1255345","DOIUrl":null,"url":null,"abstract":"Host-based intrusion detection systems that monitor an application execution and report any deviation from its statically built model have seen tremendous progress in recent years. However, the weakness of these systems is that they often rely on overly abstracted models that reflect only the control flow structure of programs, and therefore are subject to so-called â mimicry attacksâ . Authors of these models have argued that capturing more of the data flow characteristics of a program is necessary to prevent a large class of attacks, in particular, non-control-data attacks. In this paper, we present the guarded model, a novel model that addresses the various deficiencies of the state-of-the-art intrusion detection systems. Our model is a generalization of previous models that offers no false alarms, a very low monitoring overhead, and is automatically generated. Our model detects mimicry attacks by combining control flow and data flow analysis, but can also tackle the ever increasingly threatening non-control-data flow attacks. Our model is the first model built automatically by combining control flow and data flow analysis using state-of-the-art tools for automatic generation and propagation of invariants. Our model not only prevents intrusions, but allows in some cases the detection of application logic bugs. Such bugs are beyond the reach of current intrusion detection systems","PeriodicalId":119000,"journal":{"name":"ACM Workshop on Programming Languages and Analysis for Security","volume":"84 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":"{\"title\":\"Guarded models for intrusion detection\",\"authors\":\"Hassen Saïdi\",\"doi\":\"10.1145/1255329.1255345\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Host-based intrusion detection systems that monitor an application execution and report any deviation from its statically built model have seen tremendous progress in recent years. However, the weakness of these systems is that they often rely on overly abstracted models that reflect only the control flow structure of programs, and therefore are subject to so-called â mimicry attacksâ . Authors of these models have argued that capturing more of the data flow characteristics of a program is necessary to prevent a large class of attacks, in particular, non-control-data attacks. In this paper, we present the guarded model, a novel model that addresses the various deficiencies of the state-of-the-art intrusion detection systems. Our model is a generalization of previous models that offers no false alarms, a very low monitoring overhead, and is automatically generated. Our model detects mimicry attacks by combining control flow and data flow analysis, but can also tackle the ever increasingly threatening non-control-data flow attacks. Our model is the first model built automatically by combining control flow and data flow analysis using state-of-the-art tools for automatic generation and propagation of invariants. Our model not only prevents intrusions, but allows in some cases the detection of application logic bugs. Such bugs are beyond the reach of current intrusion detection systems\",\"PeriodicalId\":119000,\"journal\":{\"name\":\"ACM Workshop on Programming Languages and Analysis for Security\",\"volume\":\"84 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-06-14\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"12\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Workshop on Programming Languages and Analysis for Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/1255329.1255345\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Workshop on Programming Languages and Analysis for Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1255329.1255345","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Host-based intrusion detection systems that monitor an application execution and report any deviation from its statically built model have seen tremendous progress in recent years. However, the weakness of these systems is that they often rely on overly abstracted models that reflect only the control flow structure of programs, and therefore are subject to so-called â mimicry attacksâ . Authors of these models have argued that capturing more of the data flow characteristics of a program is necessary to prevent a large class of attacks, in particular, non-control-data attacks. In this paper, we present the guarded model, a novel model that addresses the various deficiencies of the state-of-the-art intrusion detection systems. Our model is a generalization of previous models that offers no false alarms, a very low monitoring overhead, and is automatically generated. Our model detects mimicry attacks by combining control flow and data flow analysis, but can also tackle the ever increasingly threatening non-control-data flow attacks. Our model is the first model built automatically by combining control flow and data flow analysis using state-of-the-art tools for automatic generation and propagation of invariants. Our model not only prevents intrusions, but allows in some cases the detection of application logic bugs. Such bugs are beyond the reach of current intrusion detection systems
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
