TY - GEN
T1 - SIDAN
T2 - 4th International Conference on Risks and Security of Internet and Systems, CRiSIS 2009
AU - Demay, Jonathan Christofer
AU - Totel, Eric
AU - Tronel, Frédéric
PY - 2009/12/1
Y1 - 2009/12/1
N2 - Anomaly based intrusion detection systems rely on the build of a normal behavior model. When a deviation from this normal behavior is detected, an alert is raised. This anomaly approach, unlike the misuse approach, is able to detect unknown attacks. A basic technique to build such a model for a program is to use the system call sequences of the process. To improve the accuracy and completeness of this detection model, we can add information related to the system call, such as its arguments or its execution context. But even then, attacks that target non-control-data may be missed and attacks on control-data may be adapted to bypass the detection mechanism using evasion techniques. We propose in this article an approach that focuses on the detection of non-control-data attacks. Our approach aims at exploiting the internal state of a program to detect a memory corruption on non-control-data that could lead to an illegal system call. To achieve this, we propose to build a data-oriented detection model by statically analyzing a program source code. This model is used to instrument the program by adding reasonableness checks that verify the consistent state of the data items the system calls depend on. We thus argue that it is possible to detect a program misuse issued by a non-control-data attack inside the program during its execution. While keeping a low overhead, this approach allows to detect non-control-data attacks.
AB - Anomaly based intrusion detection systems rely on the build of a normal behavior model. When a deviation from this normal behavior is detected, an alert is raised. This anomaly approach, unlike the misuse approach, is able to detect unknown attacks. A basic technique to build such a model for a program is to use the system call sequences of the process. To improve the accuracy and completeness of this detection model, we can add information related to the system call, such as its arguments or its execution context. But even then, attacks that target non-control-data may be missed and attacks on control-data may be adapted to bypass the detection mechanism using evasion techniques. We propose in this article an approach that focuses on the detection of non-control-data attacks. Our approach aims at exploiting the internal state of a program to detect a memory corruption on non-control-data that could lead to an illegal system call. To achieve this, we propose to build a data-oriented detection model by statically analyzing a program source code. This model is used to instrument the program by adding reasonableness checks that verify the consistent state of the data items the system calls depend on. We thus argue that it is possible to detect a program misuse issued by a non-control-data attack inside the program during its execution. While keeping a low overhead, this approach allows to detect non-control-data attacks.
UR - https://www.scopus.com/pages/publications/77951468331
U2 - 10.1109/CRISIS.2009.5411977
DO - 10.1109/CRISIS.2009.5411977
M3 - Conference contribution
AN - SCOPUS:77951468331
SN - 9781424444991
T3 - Post-Proceedings of the 4th International Conference on Risks and Security of Internet and Systems, CRiSIS 2009
SP - 51
EP - 58
BT - Post-Proceedings of the 4th International Conference on Risks and Security of Internet and Systems, CRiSIS 2009
Y2 - 19 October 2009 through 22 October 2009
ER -