On Effective Model-Based Intrusion Detection
msra(2008)
摘要
Model-based intrusion detectors restrict program execution to a previously computed model of ex- pected behavior. We consider two classes of attacks against these systems: bypass attacks that evade detection by avoiding the detection system altogether, and transformational attacks that alter a detected attack into a semantically-equivalent attack that goes und etected. Recent detection approaches are prob- lematic and do not effectively address these threats. We see reductions or outright failures in effective- ness and efficiency when systems (1) monitor execution at the library call interface, (2) provide accuracy via inlining of statically-constructed program models, or (3) use simplistic analysis of indirect function calls. Attacks can defeat library-call monitors by directl y executing operating system kernel traps. In- lined models grow exponentially large at the trap interface: models for several test programs are 12,000 to 38,000 times larger at the trap interface than at the libra ry call interface. Na¨ ive indirect call analysis produces models 14 to 177 times larger than models built with in-depth analysis and that are less able to detect attacks. In examining these issues, our aim is to reveal complexities of model-based detection that have not been previously well understood.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络