Understanding Precision in Host Based Intrusion Detection
RAID(2007)
摘要
Many host-based anomaly detection systems monitor process execution at the granularity of system calls. Other recently proposed
schemes instead verify the destinations of control-flow transfers to prevent the execution of attack code. This paper formally
analyzes and compares real systems based on these two anomaly detection philosophies in terms of their attack detection capabilities,
and proves and disproves several intuitions. We prove that for any system-call sequence model, under the same (static or dynamic)
program analysis technique, there always exists a more precise control-flow sequence based model. While hybrid approaches
combining system calls and control flows intuitively seem advantageous, especially when binary analysis constructs incomplete
models, we prove that they have no fundamental advantage over simpler control-flow models. Finally, we utilize the ideas in
our framework to make external monitoring feasible at the precise control-flow level. Our experiments show that external control-flow
monitoring imposes performance overhead comparable to previous system call based approaches while detecting synthetic and
real world attacks as effectively as an inlined monitor.
更多查看译文
关键词
anomaly detection,formal analysis,program models.,programming model,intrusion detection,control flow
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要