Abstract - Technical Program - ID 99
On Preventing Intrusions by Process Behavior Monitoring
R. Sekar, Iowa State University; T. Bowen and M. Segal, Bellcore
Society's increasing reliance on networked information
systems to support critical infrastructures has prompted
interest in making the information systems survivable,
so that they continue to perform critical functions even
in the presence of vulnerabilities susceptible to malicious
attacks. To enable vulnerable systems to survive
attacks, it is necessary to detect attacks and isolate failures
resulting from attacks before they damage the
system by impacting functionality, performance or security.
The key research problems in this context include:
- detecting in-progress attacks before they cause
damage, as opposed to detecting attacks after
they have succeeded,
- localizing and/or minimizing damage by isolating
attacked components in real-time, and
- tracing the origin of attacks.
We address the detection problem by real-time event
monitoring and comparison against events known to be
unacceptable. Real-time detection differentiates our
approach from previous works that focus on intrusion
detection by post-attack evidence analysis. We address
the isolation and tracing problems by supporting automatic
initiation of reactions. Reactions are programs
that we develop to respond to attacks. A reaction's primary
goal is to isolate compromised components and
prevent them from damaging other components. A reaction's
secondary goal is to aid in tracing the origin of
attack, e.g., by providing an illusion of success to the
attackers (enticing them to continue the attack) while
ensuring that the attack causes no damage.
Our approach to detecting attacks is based on specifying
permissible process behaviors as logical assertions
on sequences of system calls and conditions on the values
of system call arguments. We compile the specifications
into finite state automata for efficient runtime
detection of deviations from the specified (and hence
permissible) behavior. We seamlessly integrate detection
and reaction by designing our specification language
to also allow specification of reactions.
- View the full text of this paper
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.