Bluebox: A policy-driven, host-based intrusion detection system

ACM Transactions on Information and System Security

Volumn 6, Issue 2, 2003, Pages 173-200

  Chari, Suresh N ^a,b   Cheng, Pau Chen ^a,b  

^a IBM T J WATSON RESEARCH CENTER   (United States)

^b IBM   (United States)

Author keywords

Intrusion detection; Policy; Sandboxing; System call introspection

Indexed keywords

COMMUNICATION FLOW; INTRUSION DETECTION; SANDBOXING; SYSTEM CALL INTROSPECTION;

COMPUTER NETWORKS; COMPUTER OPERATING SYSTEMS; COMPUTER SYSTEM FIREWALLS; CRYPTOGRAPHY; NETWORK PROTOCOLS; SERVERS;

INFORMATION TECHNOLOGY;

EID: 2942749266     PISSN: 10949224     EISSN: None     Source Type: Journal    
DOI: 10.1145/762476.762477     Document Type: Article

References (37)

1. ANDERSON, D., LUNT, T. F., JAVITZ, H., TAMAHU, A., AND VALDES, A. 1993. SAFEGUARD FINAL REPORT: Detecting unusual program behavior using the NIDES statistical component, Tech. Rep., Computer Science Laboratory, SRI International, Menlo Park, CA, USA.
2. ASHCRAFT, K. AND ENGLER, D. 2002. Using programmer-written compiler extensions to catch security holes. In Proceedings of the 2002 IEEE Symposium on Security and Privacy.
3. ATKINSON, R. 1995. Security architecture for the Internet protocol. Internet RFC 1825.
4. BERNASCHI, M., GABRIELLI, E., AND MANCINI, L. 2000. Enhancements to the Linux kenel for blocking buffer overflow based attacks. Available at http://www.iac.rm.cnr.it/newweb/tecno/papers/bufoverp.
5. BERNASCHI, M., GABRIELLI, E., AND MANCINI, L. V. 2002. REMUS: A security-enhanced operating system. ACM Trans. Inf. Syst. Sec. 5, 1 (February).
6. BISHOP, M. AND DILGER, M. 1996. Checking for race conditions in file accesses. Computing Syst. 9, 2, 131-152.
7. CHARI, S. N. AND CHENG, P. C. 2002. BlueBox: A policy-driven, host-based intrusion detection system. In Network and Distributed System Security Symposium.
8. COWAN, C., BEATTIE, S., KROAH-HARTMAN, G., PU, C., WAGGLE, P., AND GLIGOR, V. 2000. SubDomain: Parsimonious server security. In Proceedings of the 14th Systems Administration Conference (LISA 2000).
9. CROSBIE, M., DOLE, B., ELLIS, T., KRSUL, I., AND SPAFFORD, E. 1996. IDIOT users guide. Tech. Report CSD-TR-96-050, COAST Laboratory, Dept. of Computer Sciences, Purdue University.
10. DEBAR, H., DACIER, M., NASSEHI, M., AND WESPI, A. 1998. Fixed vs. variable-length patterns for detecting suspicious process behavior. Research Report, No. RZ3012, IBM Research Division, Zurich Research Lab.
11. DEBAR, H., DACIER, M., AND WESPI, A. 1999. Towars a taxonomy of intrusion detection systems. Computer Networks 31.
12. DIERKS, T. AND ALLEN, C. 1997. The TLS protocol version 1.0. IETF 〈draft-ietf-tls-protocol-02.txt〉.
13. DoD 1985. US Department of Defense trusted computer system evaluation criteria. DOD 5200.28-STD. Available at http://www.radium.ncsc.mil/tpep/library/ rainbow/index.html.
14. ERLINGSSON, Ú. AND SCHNEIDER, F. B. 2000. IRM enforcement of Java stack inspection. In IEEE Symposium on Security and Privacy.
15. FORREST, S., HOFMEYR, S. A., SOMAYAJI, A., AND LONGSTAFF, T. A. 1996. A Sense of self for UNIX processes. In IEEE Symposium on Security and Privacy.
16. FRASER, T., BADGER, L., AND FELDMAN, M. 1999. Hardening COTS software with generic software wrappers. In Proceedings of the IEEE Symposium on Security and Privacy.
17. FREIER, A. O., KARLTON, P., AND KOCHER, P. C. 1996. The SSL protocol version 3.0. IETF 〈draftietf-tls-ssl-version3-00.txt〉.
18. JACKSON, K. A. 1999. Intrusion Detection System (IDS) product review. IBM internal confidential document, IBM Research Division, Zurich Research Lab.
19. JAIN, K. AND SEKAR, R. 2000. User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. In Proceedings of the Network and Distributed Systems Security Symposium.
20. JAVITZ, H. AND VALDES, A. 1994. The NIDES statistical component description and justification. Tech. Rep., Computer Science Laboratory, SRI International, Menlo Park, Cal., USA.
21. JVM 2001. The Java virtual machine. Available at http://www.javasoft.com.
22. KO, C., FRASER, T., BADGER, L., AND KILPATRICK, D. 2000. Detecting and countering system intrusions using software wrappers. In Proceedings of the 9th USENIX Security Symposium.
23. LEFFLĖR, S. J., JOY, W. N., FARBY, R. S., AND KAREL, M. J. 1986. Networking implementation notes, 4.3BSD edition. In UNIX System Manager's Manual, 4.3 Berkeley Software Distribution, Virtual VAX-11 Edition. USENIX Association.
24. LSM. The Linux Security Module Project. Code available at http://lsm.immunix.org.
25. McKUSICK, M. K., BOSTIC, K., KARLES, M. J., AND QUARTERMAN, J. S. 1996. The Design and Implementation of the 4.4 BSD Operating System. Addison Wesley, New York City, USA, 67, 540.
26. PAXSON, V. 1998. Bro: A system for detecting network intruders in real-time. In the 7th USENIX Security Symposium.
27. PTACEK, T. H. AND NEWSHAM, T. N. 1998. Insertion, evasion, and denial of services: Eluding network intrusion detection. Available at http://www.nai.com.
28. RANUM, M. J., LANDFIELD, K., STOLARCHUK, M., SIENKIEWICZ, M., LAMETH, A., AND WALL, E. 1997. Implementing a generalized tool for network monitoring. In the 11th USENIX Systems Administrator Conference.
29. SEKAR, R. AND UPPULURI, P. 1999. Synthesizing fast intrusion detection systems from high-level specifications. In the 8th USENIX Security Symposium, 63-78.
30. SELINUX. Security-enhanced Linux. Available at http://wvw.nsa.gov/ selinux/.
31. WAGNER, D. A. 1999. Janus: An approach for confinement of untrusted applications. Tech. Rep. CSD-99-1056, University of California at Berkeley.
32. WAGNER, D. A. AND DEAN, D. 2001. Intrusion detection via static analysis. In Proceedings of the 2001 IEEE Symposium on Security and Privacy.
33. WALKER, K. M., STERNE, D. F., BADGER, M. L., PETKAC, M. J., SHERMANN, D. L., AND OOSTENDROP, K. A. 1996. Confining root programs with domain and type enforcement. In the 6th USENIX Security Symposium.
34. WEBSPHERE 2001. WebSphere V4.0 Advanced Edition Handbook. Available at http://www.redbooks.ibm.com/redpieces/pdfs/sg246176.pdf.
35. WUFTP. Source code to exploit the heap overflow in wu-ftpd. Available at http://oliver.efri.hr/~crv/security/bugs/mUNIXes/wuftpd16.html.
36. XIE, H. AND BIONDI, P. 2001. The Linux Intrusion Detection Project. Available at http://www.lids.org.
37. ZHANG, X., EDWARDS, A., AND JAEGER, T. 2002. Using CQUAL for static analysis of authorization hook placement. In the 11th Usenix Security Symposium.