Building an application data behavior model for intrusion detection

Olivier Sarrouy; Eric Totel; Bernard Jouga

doi:10.1007/978-3-642-03007-9_21

Building an application data behavior model for intrusion detection

Olivier Sarrouy, Eric Totel, Bernard Jouga

Supelec

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Application level intrusion detection systems usually rely on the immunological approach. In this approach, the application behavior is compared at runtime with a previously learned application profile of the sequence of system calls it is allowed to emit. Unfortunately, this approach cannot detect anything but control flow violation and thus remains helpless in detecting the attacks that aim pure application data. In this paper, we propose an approach that would enhance the detection of such attacks. Our proposal relies on a data oriented behavioral model that builds the application profile out of dynamically extracted invariant constraints on the application data items.

Original language	English
Title of host publication	Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings
Pages	299-306
Number of pages	8
DOIs	https://doi.org/10.1007/978-3-642-03007-9_21
Publication status	Published - 2 Nov 2009
Externally published	Yes
Event	23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security - Montreal, QC, Canada Duration: 12 Jul 2009 → 15 Jul 2009

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	5645 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security
Country/Territory	Canada
City	Montreal, QC
Period	12/07/09 → 15/07/09

Access to Document

10.1007/978-3-642-03007-9_21

Cite this

Sarrouy, O., Totel, E., & Jouga, B. (2009). Building an application data behavior model for intrusion detection. In Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings (pp. 299-306). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5645 LNCS). https://doi.org/10.1007/978-3-642-03007-9_21

Sarrouy, Olivier ; Totel, Eric ; Jouga, Bernard. / Building an application data behavior model for intrusion detection. Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings. 2009. pp. 299-306 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{d48d48cbf878407aa9ee699e81b7c4c5,

title = "Building an application data behavior model for intrusion detection",

abstract = "Application level intrusion detection systems usually rely on the immunological approach. In this approach, the application behavior is compared at runtime with a previously learned application profile of the sequence of system calls it is allowed to emit. Unfortunately, this approach cannot detect anything but control flow violation and thus remains helpless in detecting the attacks that aim pure application data. In this paper, we propose an approach that would enhance the detection of such attacks. Our proposal relies on a data oriented behavioral model that builds the application profile out of dynamically extracted invariant constraints on the application data items.",

author = "Olivier Sarrouy and Eric Totel and Bernard Jouga",

year = "2009",

month = nov,

day = "2",

doi = "10.1007/978-3-642-03007-9\_21",

language = "English",

isbn = "3642030068",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "299--306",

booktitle = "Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings",

note = "23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security ; Conference date: 12-07-2009 Through 15-07-2009",

}

Sarrouy, O, Totel, E & Jouga, B 2009, Building an application data behavior model for intrusion detection. in Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5645 LNCS, pp. 299-306, 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Montreal, QC, Canada, 12/07/09. https://doi.org/10.1007/978-3-642-03007-9_21

Building an application data behavior model for intrusion detection. / Sarrouy, Olivier; Totel, Eric; Jouga, Bernard.
Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings. 2009. p. 299-306 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5645 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Building an application data behavior model for intrusion detection

AU - Sarrouy, Olivier

AU - Totel, Eric

AU - Jouga, Bernard

PY - 2009/11/2

Y1 - 2009/11/2

N2 - Application level intrusion detection systems usually rely on the immunological approach. In this approach, the application behavior is compared at runtime with a previously learned application profile of the sequence of system calls it is allowed to emit. Unfortunately, this approach cannot detect anything but control flow violation and thus remains helpless in detecting the attacks that aim pure application data. In this paper, we propose an approach that would enhance the detection of such attacks. Our proposal relies on a data oriented behavioral model that builds the application profile out of dynamically extracted invariant constraints on the application data items.

AB - Application level intrusion detection systems usually rely on the immunological approach. In this approach, the application behavior is compared at runtime with a previously learned application profile of the sequence of system calls it is allowed to emit. Unfortunately, this approach cannot detect anything but control flow violation and thus remains helpless in detecting the attacks that aim pure application data. In this paper, we propose an approach that would enhance the detection of such attacks. Our proposal relies on a data oriented behavioral model that builds the application profile out of dynamically extracted invariant constraints on the application data items.

U2 - 10.1007/978-3-642-03007-9_21

DO - 10.1007/978-3-642-03007-9_21

M3 - Conference contribution

AN - SCOPUS:70350352544

SN - 3642030068

SN - 9783642030062

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 299

EP - 306

BT - Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings

T2 - 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security

Y2 - 12 July 2009 through 15 July 2009

ER -

Sarrouy O, Totel E, Jouga B. Building an application data behavior model for intrusion detection. In Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings. 2009. p. 299-306. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-03007-9_21

Building an application data behavior model for intrusion detection

Abstract

Publication series

Conference

Access to Document

Fingerprint

Cite this