Intrusion detection using signatures extracted from execution profiles

An application based intrusion detection system is a security mechanism designed to detect malicious behavior that could compromise the security of a software application. Our aim is to develop such a system that operates on signatures extracted from execution profiles. These signatures are not descriptions of exploits, but instead are descriptions of the program conditions that lead to the exploitation of software vulnerabilities, i.e., they depend on the structure of the vulnerabilities themselves. A program vulnerability is generally induced by the execution of a combination of program statements. In this work we first analyze the execution profiles of a subject application in order to identify such suspicious combinations and consequently extract and define their corresponding signatures. Then, we insert probes in select locations in the application to enable online signature matching. To evaluate our technique, we implemented it for Java programs and applied it on Tomcat 3.0 in order to detect well-known attacks. Our results were promising, as no false negatives and a maximum of 4.5% false positives were observed, and the runtime overhead was less than 5%.