Anatomy of a real-time intrusion prevention system

5th International Conference on Autonomic Computing, ICAC 2008

Volumn , Issue , 2008, Pages 151-160

  Koller, Ricardo ^a   Rangaswami, Raju ^a   Marrero, Joseph ^a   Hernandez, Igor ^a   Smith, Geoffrey ^a   Barsilai, Mandy ^a   Necula, Silviu ^a   Sadjadi, S Masoud ^a   Li, Tao ^a   Merrill, Krista ^a  

^a FLORIDA INTERNATIONAL UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTONOMIC COMPUTING; INTERNATIONAL CONFERENCES; INTRUSION PREVENTION SYSTEM;

BEHAVIORAL RESEARCH; COMPUTER NETWORKS; LARGE SCALE SYSTEMS; SERVERS;

INTRUSION DETECTION;

EID: 51649104949     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICAC.2008.24     Document Type: Conference Paper

References (39)

1. K. Ilgun, R. A. Kemmerer, and P. A. Porras, "State Transition Analysis: A Rule-Based Intrusion Detection Approach," IEEE Transactions on Sortware Engineering, vol. 20, no. 5, March 1995.
2. R. Sekar and P. Uppuluri, "Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications," Proc. of the USENIX Security Symposium, August 1999.
3. A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen, "Detecting Past and Present Intrusions through Vulnerability-Specific Predicates," Proc. of the Symposium on Operating Systems Principles, October 2005.
4. D. Denning, "An Intrusion-Detection Model," IEEE Transactions on Software Engineering, vol. 13, no. 2, pp. 222-232, February 1987.
5. S. A. Hofmeyr, S. Forrest, and A. Somayaji, "Intrusion Detection Using Sequences of System Calls," Journal of Computer Security, vol. 6, no. 3, pp. 151-180, 1998.
6. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni, "A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors," Proc. of the IEEE Symposium on Security and Privacy, May 2001.
7. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. of the 7th USENIX Security Conference, January 1998.
8. G. H. Kim and E. H. Spafford, "The Design and Implementation of Tripwire: A File System Integrity Checker," in Proc. of the ACM Conference on Computer and Communications Security, 1994.
9. M. Roesch, "Snort - Lightweight Intrusion Detection for Networks," Proc. of the Large Systems Administration Conference, November 1999.
10. V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Proc. of the USENIX Security Symposium, January 1998.
11. C. Ko, G. Fink, and K. Levitt, "Automated Detection of Vulnerabilities in Priviledged Programs by Execution Monitoring," Proc. of the 10th Annual Computer Security Applications Conference, December 1994.
12. K. M. Walker, D. F. Sterne, M. L. Badger, M. J. Petkac, D. L. Shermann, and K. A. Oostendorp, "Confining Root Programs with Domain and Type Enforcement (DTE)," Proc. of the USENIX Security Symposium, July 1996.
13. M. Bishop and M. Dilger, "Checking for Race Conditions in File Accesses," Computing Systems, vol. 9, no. 2, pp. 131-152, 1996.
14. J. Wei and C. Pu, "TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study," Proc. of the USENIX Conference on File and Storage Technologies, December 2005.
15. S. Axelsson, "The Base-Rate Fallacy and the Difficulty of Intrusion Detection," ACM Transactions on Information System Security, vol. 3, no. 3, pp. 186-205, Aug. 2000.
16. C. E. Landwehr, A. R. Bull, J. P. McDermott, and W. S. Choi, "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, vol. 26, no. 3, pp. 211-254, September 1994.
17. P. G. Neumann, "Computer System Security Evaluation," Proc. of the National Computer Conference, June 1978.
18. M. Bishop, "A Taxonomy of Unix System and Network Vulnerabilities," University of California, Davis Technical Report CSE-9510, May 1995.
19. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A Sense of Self for Unix Processes," in Proc. of the IEEE Symposium on Research in Security and Privacy, May 1996.
20. Security Focus, "BZip2 CHMod File Permission Modification Race Condition Weakness," http://www.securityfocus.com/bid/12954/, 2005.
21. Wojciech Purczynski / cliph / jwp@elzabsoft.pl, "Exploit for execve/ptrace race condition in Linux kernel up to 2.2.19,", 2001.
22. Security Focus, "GNU Tar Hostile Destination Path Variant Vulnerability," http://www.securityfocus.com/bid/5834/, 2002.
23. F-Secure, "F-Secure Virus Descriptions: Tornkit," http://www.fsecure.com/v-descs/torn.shtml, 2001.
24. Security Focus, "X. Org X Window Server Local Privilege Escalation Vulnerability," http://www.securityfocus.com/bid/17169/, 2006.
25. C. Ko, M. Ruschitzka, and K. Levitt, "Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-based Approach," Proc. of the IEEE Symposium on Security and Privacy, May 1997.
26. N. Provos, "Improving Host Security with System Call Policies," Proc. of the USENIX Security Symposium, August 2003.
27. J. N. Herder, H. Bos, B. Gras, P. Homburg, and A. S. Tanenbaum, "Modular System Programming in MINIX 3," login: The USENIX Magazine, vol. 31, no. 2, April 2006.
28. K. M. C. Tan and R. A. Maxion, ""why 6?" defining the operational limits of stide, an anomaly-based intrusion detector," in Proc. of the IEEE Symposium on Security and Privacy, 2002.
29. D.-K. Kang, D. Fuller, and V Honavar, "Learning classifiers for misuse and anomaly detection using a bag of system calls representation." in Proc. of 6th IEEE Systems Man and Cybernetics Information Assurance Workshop (IAW)., 2005.
30. D. Mutz, F. Valeur, C. Kruegel, and G. Vigna, "Anomalous System Call Detection," ACM Transactions on Information and System Security (TISSEC), vol. 9, no. 1, pp. 61-93, February 2006.
31. D. Gao, M. K. Reiter, and D. Song, "Behavioral Distance for Intrusion Detection," in Proc. of RAID 2005, September 2006.
32. J. T. Giffin, D. Dagon, S. Jha, W. Lee, and B. P. Miller, "Environment-Sensitive Intrusion Detection," Proc. of the International Symposium on Recent Advances in Intrusion Detection, September 2005.
33. A. Somayaji and S. Forrest, "Automated response using System-Call delays," in Proc. of the USENIX Security Symposium, August 2000.
34. W. Lee, J. B. D. Cabrera, A. Thomas, N. Balwalli, S. Saluja, and Y. Zhang, "Performance Adaptation in Real-Time Intrusion Detection Systems," in Recent Advances in Intrusion Detection, 2002.
35. W. Lee and S. J. Stolfo, "A Framework for Constructing Features and Models for Intrusion Detection Systems," ACM Transactions on Information and Systems Security, vol. 3, no. 4, pp. 227-261, 2000.
36. L. Wang, A. Liu, and S. Jajodia, "An Efficient and Unified Approach to Correlating, Hypothesizing, and Predicting Network Intrusion Alerts," Proc. of the 10th European Symposium on Research in Computer Security (ESORICS 2005), September 2005.
37. K. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. Keromytis, "Detecting Targeted Attacks Using Shadow Honeypots," Proc. of the USENIX Security Symposium, August 2005.
38. S. T. Eckmann, G. Vigna, and R. A. Kemmerer, "STATL: An Attack Language for State-based Intrusion Detection," Journal of Computer Security, vol. 10, no. 1/2, pp. 71-104, 2002.
39. S. T. King and P. M. Chen, "Backtracking Intrusions," Proc. of the Symposium on Operating Systems Principles (SOSP), October 2003.