Home // SECURWARE 2011, The Fifth International Conference on Emerging Security Information, Systems and Technologies // View article

Enhancing System-Called-Based Intrusion Detection with Protocol Context

Authors:
Anyi Liu
Xuxian Jiang
Jing Jin
Feng Mao
Jim Chen

Keywords: Intrusion detection; System calls; Protocol specification; Context

Abstract:
Building an accurate program model is challenging but vital for the development of an effective host-based intrusion detection system (IDS). The model should be designed to precisely reveal the intrinsic semantic logic of a program, which not only contains control-flows (e.g., system call sequences), but also data-flows as well as their interdependency. However, most existing intrusion detection models consider either control-flows or data-flows, but not both or their interweaved dependency, leading to inaccurate or incomplete program modeling. In this paper, we present a semantic flow-based model that seamlessly integrates control-flows, data-flows, as well as their inter-dependency, thus greatly improving the precision and completeness when modeling program behavior. More specifically, the semantic flow model describes program behavior in terms of basic semantic units, each of which semantically captures one essential aspect of a program’s behavior. The relationship among these semantic units can be further obtained by applying the protocol knowledge behind the (server) program. We show that the integrated semantic flow model enables earlier detection and prevention of many attacks than existing approaches.

Pages: 103 to 108

Copyright: Copyright (c) IARIA, 2011

Publication date: August 21, 2011

Published in: conference

ISSN: 2162-2116

ISBN: 978-1-61208-146-5

Location: Nice/Saint Laurent du Var, France

Dates: from August 21, 2011 to August 27, 2011