Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications







Deposit Papers 


Sekar, R. and Uppuluri, P. (1999) Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications. Technical Report TR99-02, Department of Computer Science, Iowa State University.

Full text available as:Postscript
Adobe PDF


Synthesizing Fast Intrusion Prevention/Detection Systems from
High-Level Specifications.
R. Sekar, P. Uppuluri
Iowa State University, Ames IA
To build  survivable information systems (i.e., systems that
continue to provide their services in spite of coordinated attacks), it is
necessary to detect and isolate intrusions {\em before} they impact system
performance or functionality. Previous research in this area has focussed
primarily on detecting intrusions after the fact, rather than preventing
them in the first place. We have developed a new approach based on
specifying intended program behaviors using patterns over sequences of
system calls. The patterns can also capture conditions on the values of
system-call arguments. At runtime, we intercept the system calls made by
processes, compare them against specifications, and disallow (or otherwise
modify) those calls that deviate from specifications. Since our approach
is capable of modifying a system call before it is delivered to the
operating system kernel, it is capable of reacting before any
damage-causing system call is executed by a process under attack. We
present our specification language and illustrate its use by developing a
specification for the ftp server. Observe that in our approach, every
system call is intercepted and subject to potentially expensive operations
for matching against many patterns that specify normal/abnormal behavior.
Thus, minimizing the overheads incurred for pattern-matching is critical
for the viability of our approach. We solve this problem by developing a
new, low-overhead algorithm for matching runtime behaviors against
specifications. A salient feature of our algorithm is that its runtime is
almost independent of the number of patterns. In most cases, it
uses a constant amount of time per system call intercepted, and uses a
constant amount of storage, both independent of either the size or number
of patterns. These benefits make our algorithm useful for many other
intrusion detection methods that employ pattern-matching. We describe our
algorithm, and evaluate its performance through experiments.
This research is supported in part
by Defense Advanced Research Agency's Information Technology Office
(DARPA-ITO) under the Information System Survivability program, under
contract number F30602-97-C-0244.

Subjects:All uncategorized technical reports
ID code:00000201
Deposited by:Staff Account on 19 July 1999

Contact site administrator at: