Intrusion detection using signatures extracted from execution profiles

An application based intrusion detection system is a security mechanism designed to detect malicious behavior that could compromise the security of a software application. Our aim is to develop such a system that operates on signatures extracted from execution profiles. These signatures are not desc...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:2009 ICSE Workshop on Software Engineering for Secure Systems s. 17 - 24
Hlavní autoři: El-Ghali, M., Masri, W.
Médium: Konferenční příspěvek
Jazyk:angličtina
Vydáno: Washington, DC, USA IEEE Computer Society 19.05.2009
IEEE
Edice:ACM Conferences
Témata:
Application software
Computer security
Computerized monitoring
Conferences
Intrusion detection
Java
Pattern matching
Probes
Runtime
Security and privacy > Software and application security > Software security engineering
Software and its engineering > Software creation and management > Software verification and validation > Software defect analysis > Software testing and debugging
Software and its engineering > Software organization and properties > Software functional properties > Correctness > Access protection
Theory of computation > Semantics and reasoning > Program reasoning > Program analysis
Theory of computation > Semantics and reasoning > Program semantics
malicious behavior
security mechanism
intrusion detection system
execution profiles
program analysis
online signature matching
signature extraction
software security
software vulnerability
Java programs
Tomcat 3.0
program statements
ISBN:9781424437252, 1424437253
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:An application based intrusion detection system is a security mechanism designed to detect malicious behavior that could compromise the security of a software application. Our aim is to develop such a system that operates on signatures extracted from execution profiles. These signatures are not descriptions of exploits, but instead are descriptions of the program conditions that lead to the exploitation of software vulnerabilities, i.e., they depend on the structure of the vulnerabilities themselves. A program vulnerability is generally induced by the execution of a combination of program statements. In this work we first analyze the execution profiles of a subject application in order to identify such suspicious combinations and consequently extract and define their corresponding signatures. Then, we insert probes in select locations in the application to enable online signature matching. To evaluate our technique, we implemented it for Java programs and applied it on Tomcat 3.0 in order to detect well-known attacks. Our results were promising, as no false negatives and a maximum of 4.5% false positives were observed, and the runtime overhead was less than 5%.
ISBN:9781424437252
1424437253
DOI:10.1109/IWSESS.2009.5068454