Check out the new USENIX Web site.

Home About USENIX Events Membership Publications Students
Abstract - Technical Program - ID 99

On Preventing Intrusions by Process Behavior Monitoring

R. Sekar, Iowa State University; T. Bowen and M. Segal, Bellcore


Society's increasing reliance on networked information systems to support critical infrastructures has prompted interest in making the information systems survivable, so that they continue to perform critical functions even in the presence of vulnerabilities susceptible to malicious attacks. To enable vulnerable systems to survive attacks, it is necessary to detect attacks and isolate failures resulting from attacks before they damage the system by impacting functionality, performance or security. The key research problems in this context include:
  • detecting in-progress attacks before they cause damage, as opposed to detecting attacks after they have succeeded,
  • localizing and/or minimizing damage by isolating attacked components in real-time, and
  • tracing the origin of attacks.

We address the detection problem by real-time event monitoring and comparison against events known to be unacceptable. Real-time detection differentiates our approach from previous works that focus on intrusion detection by post-attack evidence analysis. We address the isolation and tracing problems by supporting automatic initiation of reactions. Reactions are programs that we develop to respond to attacks. A reaction's primary goal is to isolate compromised components and prevent them from damaging other components. A reaction's secondary goal is to aid in tracing the origin of attack, e.g., by providing an illusion of success to the attackers (enticing them to continue the attack) while ensuring that the attack causes no damage.

Our approach to detecting attacks is based on specifying permissible process behaviors as logical assertions on sequences of system calls and conditions on the values of system call arguments. We compile the specifications into finite state automata for efficient runtime detection of deviations from the specified (and hence permissible) behavior. We seamlessly integrate detection and reaction by designing our specification language to also allow specification of reactions.

  • View the full text of this paper PDF form.

  • If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.

  • To become a USENIX Member, please see our Membership Information.

?Need help? Use our Contacts page.

Last changed: 21 Mar 2002 ml
Technical Program
Conference Index