Mimicry attacks on host-based intrusion detection systems

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Mimicry attacks on host-based intrusion detection systems

Full text

Pdf (170 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 9th ACM conference on Computer and communications security table of contents

Washington, DC, USA

SESSION: Intrusion detection table of contents

Pages: 255 - 264

Year of Publication: 2002

ISBN:1-58113-612-9

Authors

David Wagner	University of California, Berkeley, CA
Paolo Soto	University of California, Berkeley, CA

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 37, Downloads (12 Months): 259, Citation Count: 38

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/586110.586145 What is a DOI?

ABSTRACT

We examine several host-based anomaly detection systems and study their security against evasion attacks. First, we introduce the notion of a mimicry attack, which allows a sophisticated attacker to cloak their intrusion to avoid detection by the IDS. Then, we develop a theoretical framework for evaluating the security of an IDS against mimicry attacks. We show how to break the security of one published IDS with these methods, and we experimentally confirm the power of mimicry attacks by giving a worked example of an attack on a concrete IDS implementation. We conclude with a call for further research on intrusion detection from both attacker's and defender's viewpoints.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	M. Chung, N. Puketza, R.A. Olsson, B. Mukherjee, "Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing Intrusions," National Information Systems Security Conference, pp.173--183, 1995.
	2	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	3	Stephanie Forrest , Alan S. Perelson , Lawrence Allen , Rajesh Cherukuri, Self-Nonself Discrimination in a Computer, Proceedings of the 1994 IEEE Symposium on Security and Privacy, p.202, May 16-18, 1994
	4	Anup K. Ghosh , Aaron Schwartzbard , Michael Schatz, Learning Program Behavior Profiles for Intrusion Detection, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.51-62, April 09-12, 1999
	5	Anup K. Ghosh , Aaron Schwartzbard , Michael Schatz, Learning Program Behavior Profiles for Intrusion Detection, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.51-62, April 09-12, 1999
	6	Jonathon T. Giffin , Somesh Jha , Barton P. Miller, Detecting Manipulated Remote Call Streams, Proceedings of the 11th USENIX Security Symposium, p.61-79, August 05-09, 2002
	7	M. Handley, C. Kreibich, V. Paxson, "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics," 10th USENIX Security Symposium, 2001.
	8	S. Hofmeyr, S. Forrest, A. Somayaji, "Intrusion Detection Using Sequences of System Calls," Journal of Computer Security, vol. 6, pp. 151--180, 1998.
	9	Gerard J. Holzmann, Design and validation of computer protocols, Prentice-Hall, Inc., Upper Saddle River, NJ, 1990
	10	Gerard J. Holzmann, The Model Checker SPIN, IEEE Transactions on Software Engineering, v.23 n.5, p.279-295, May 1997 [doi>10.1109/32.588521]
	11	John E. Hopcroft , Jeffrey D. Ullman, Introduction To Automata Theory, Languages, And Computation, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1990
	12	T. Lane, C.E. Brodley, "Sequence Matching and Learning in Anomaly Detection for Computer Security," AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, pp.49--49, 1997.
	13	Terran Lane , Carla E. Brodley, Temporal sequence learning and data reduction for anomaly detection, ACM Transactions on Information and System Security (TISSEC), v.2 n.3, p.295-331, Aug. 1999 [doi>10.1145/322510.322526]
	14	W. Lee, S.J. Stolfo, "Data Mining Approaches for Intrusion Detection," 7th USENIX Security Symposium, 1998.
	15	W. Lee, S.J. Stolfo, K. Mok, "A Data Mining Framework for Building Intrusion Detection Models," IEEE Symposium on Security & Privacy, 1999.
	16	Kenneth L. McMillan, Symbolic Model Checking, Kluwer Academic Publishers, Norwell, MA, 1993
	17	Christoph Michael , Anup K. Ghosh, Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, p.66-79, October 02-04, 2000
	18	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999 [doi>10.1016/S1389-1286(99)00112-7]
	19	T.H. Ptacek, T.N. Newsham, "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection," Secure Networks, Jan. 1998.
	20	Fred B. Schneider, Enforceable security policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.1, p.30-50, Feb. 2000 [doi>10.1145/353323.353382]
	21	A. Somayaji, S. Forrest, "Automated Response Using System-Call Delays," 9th Usenix Security Symposium, pp.185--197, 2000.
	22	Anil Buntwal Somayaji , Stephanie Forrest, Operating system stability and security through process homeostasis, 2002
	23	K.M.C. Tan, K.S. Killourhy, R.A. Maxion, "Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits," to appear at RAID 2002, 16--18 Oct. 2002.
	24	Kymie M. C. Tan , John McHugh , Kevin S. Killourhy, Hiding Intrusions: From the Abnormal to the Normal and Beyond, Revised Papers from the 5th International Workshop on Information Hiding, p.1-17, October 07-09, 2002
	25	David Wagner , Drew Dean, Intrusion Detection via Static Analysis, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.156, May 14-16, 2001
	26	C. Warrender, S. Forrest, B. Pearlmutter, "Detecting intrusions using system calls: Alternative data models," 1999 IEEE Symposium on Security & Privacy.
	27	Andreas Wespi , Marc Dacier , Hervé Debar, Intrusion Detection Using Variable-Length Audit Trail Patterns, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, p.110-129, October 02-04, 2000

CITED BY 38

	R. Sekar , V.N. Venkatakrishnan , Samik Basu , Sandeep Bhatkar , Daniel C. DuVarney, Model-carrying code: a practical approach for safe execution of untrusted applications, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	Gaurav Tandon , Philip Chan , Debasis Mitra, MORPHEUS: motif oriented representations to purge hostile events from unlabeled sequences, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
	Maja Pusara , Carla E. Brodley, User re-authentication via mouse movements, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
	Christopher Kruegel , Giovanni Vigna , William Robertson, A multi-model approach to the detection of web-based attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.717-738, 5 August 2005
	Wun-Hwa Chen , Sheng-Hsun Hsu , Hwang-Pin Shen, Application of SVM and ANN for intrusion detection, Computers and Operations Research, v.32 n.10, p.2617-2634, October 2005
	Martín Abadi , Mihai Budiu , Úlfar Erlingsson , Jay Ligatti, Control-flow integrity, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
	Wes Masri , Andy Podgurski, Using dynamic information flow analysis to detect attacks against applications, ACM SIGSOFT Software Engineering Notes, v.30 n.4, July 2005
	Timothy Hollebeek , Rand Waltzman, The role of suspicion in model-based intrusion detection, Proceedings of the 2004 workshop on New security paradigms, September 20-23, 2004, Nova Scotia, Canada
	Zhuowei Li , Amitabha Das, Analyzing and evaluating dynamics in stide performance for intrusion detection, Knowledge-Based Systems, v.19 n.7, p.576-591, November, 2006
	Hilmi Güneş Kayacik , Malcolm Heywood , Nur Zincir-Heywood, On evolving buffer overflow attacks using genetic programming, Proceedings of the 8th annual conference on Genetic and evolutionary computation, July 08-12, 2006, Seattle, Washington, USA
	Darren Mutz , Fredrik Valeur , Giovanni Vigna , Christopher Kruegel, Anomalous system call detection, ACM Transactions on Information and System Security (TISSEC), v.9 n.1, p.61-93, February 2006
	Jesse C. Rabek , Roger I. Khazan , Scott M. Lewandowski , Robert K. Cunningham, Detection of injected, dynamically generated, and obfuscated malicious code, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Christof Fetzer , Martin Süßkraut, Switchblade: enforcing dynamic personalized system call models, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
	Jedidiah R. Crandall , S. Felix Wu , Frederic T. Chong, Minos: Architectural support for protecting control data, ACM Transactions on Architecture and Code Optimization (TACO), v.3 n.4, p.359-389, December 2006
	Prahlad Fogla , Wenke Lee, Evading network anomaly detection systems: formal reasoning and practical techniques, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Kenneth L. Ingham , Anil Somayaji , John Burge , Stephanie Forrest, Learning DFA representations of HTTP for protecting web applications, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1239-1255, April, 2007
	Haizhi Xu , Steve J. Chapin, Improving address space randomization with a dynamic offset randomization technique, Proceedings of the 2006 ACM symposium on Applied computing, April 23-27, 2006, Dijon, France
	Salvatore J. Stolfo , Shlomo Hershkop , Chia-Wei Hu , Wei-Jen Li , Olivier Nimeskern , Ke Wang, Behavior-based modeling and its application to Email analysis, ACM Transactions on Internet Technology (TOIT), v.6 n.2, p.187-221, May 2006
	Janak J. Parekh , Ke Wang , Salvatore J. Stolfo, Privacy-preserving payload-based correlation for accurate malicious traffic detection, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.99-106, September 11-15, 2006, Pisa, Italy
	James Poe , Tao Li, BASS: a benchmark suite for evaluating architectural security systems, ACM SIGARCH Computer Architecture News, v.34 n.4, p.26-33, September 2006
	Hassen Saïdi, Guarded models for intrusion detection, Proceedings of the 2007 workshop on Programming languages and analysis for security, June 14-14, 2007, San Diego, California, USA
	Shuo Chen , Jun Xu , Emre C. Sezer , Prachi Gauriar , Ravishankar K. Iyer, Non-control-data attacks are realistic threats, Proceedings of the 14th conference on USENIX Security Symposium, p.12-12, July 31-August 05, 2005, Baltimore, MD
	C. M. Linn , M. Rajagopalan , S. Baker , C. Collberg , S. K. Debray , J. H. Hartman, Protecting against unexpected system calls, Proceedings of the 14th conference on USENIX Security Symposium, p.16-16, July 31-August 05, 2005, Baltimore, MD
	Niels Provos, Improving host security with system call policies, Proceedings of the 12th conference on USENIX Security Symposium, p.18-18, August 04-08, 2003, Washington, DC
	Niels Provos, A virtual honeypot framework, Proceedings of the 13th conference on USENIX Security Symposium, p.1-1, August 09-13, 2004, San Diego, CA
	Debin Gao , Michael K. Reiter , Dawn Song, On gray-box program tracking for anomaly detection, Proceedings of the 13th conference on USENIX Security Symposium, p.8-8, August 09-13, 2004, San Diego, CA
	Christopher Kruegel , Engin Kirda , Darren Mutz , William Robertson , Giovanni Vigna, Automating mimicry attacks using static binary analysis, Proceedings of the 14th conference on USENIX Security Symposium, p.11-11, July 31-August 05, 2005, Baltimore, MD
	Scott E. Coull , Boleslaw K. Szymanski, Sequence alignment for masquerade detection, Computational Statistics & Data Analysis, v.52 n.8, p.4116-4131, April, 2008
	Michael D. Bond , Kathryn S. McKinley, Probabilistic calling context, ACM SIGPLAN Notices, v.42 n.10, October 2007
	Chetan Parampalli , R. Sekar , Rob Johnson, A practical mimicry attack against powerful system-call monitors, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
	Kamran Shafi , Hussein A. Abbass, Biologically-inspired Complex Adaptive Systems approaches to Network Intrusion Detection, Information Security Tech. Report, v.12 n.4, p.209-217, January, 2007
	Anil Somayaji, Immunology, diversity, and homeostasis: The past and future of biologically inspired computer defenses, Information Security Tech. Report, v.12 n.4, p.228-234, January, 2007
	Sean Peisert , Matt Bishop , Sidney Karin , Keith Marzullo, Analysis of Computer Intrusions Using Sequences of Function Calls, IEEE Transactions on Dependable and Secure Computing, v.4 n.2, p.137-150, April 2007
	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: End-to-end containment of Internet worm epidemics, ACM Transactions on Computer Systems (TOCS), v.26 n.4, p.1-68, December 2008
	Fabrizio Baiardi , Dario Maggiari , Daniele Sgandurra , Francesco Tamberi, Transparent Process Monitoring in a Virtual Environment, Electronic Notes in Theoretical Computer Science (ENTCS), 236, p.85-100, April, 2009
	Haizhi Xu , Steve J. Chapin, Address-space layout randomization using code islands, Journal of Computer Security, v.17 n.3, p.331-362, August 2009
	David J. Chaboya , Richard A. Raines , Rusty O. Baldwin , Barry E. Mullins, Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion, IEEE Security and Privacy, v.4 n.6, p.36-43, November 2006
	François Gagnon , Babak Esfandiari, Using Artificial Intelligence for Intrusion Detection, Proceeding of the 2007 conference on Emerging Artificial Intelligence Applications in Computer Engineering: Real Word AI Systems with Applications in eHealth, HCI, Information Retrieval and Pervasive Technologies, p.295-306, June 10, 2007