DocumentCode :
1971725
Title :
Accurate and Automated System Call Policy-Based Intrusion Prevention
Author :
Lam, Lap Chung ; Li, Wei ; Chiueh, Tzi-cker
Author_Institution :
Comput. Sci. Dept., Stony Brook Univ.
fYear :
2006
fDate :
25-28 June 2006
Firstpage :
413
Lastpage :
424
Abstract :
One way to prevent control hijacking attack is to compare a network application´s run-time system calls with a pre-defined normal system call behavior model, and raise an alert upon detecting a mismatch. This paper describes a system called PAID, which can automatically derive an accurate system call pattern from the source code of an application, and use it to detect any anomalous behavior at run time with minimal overhead. Because each application´s system call pattern is directly derived from its source code, PAID never raises false positive alarms. Moreover, its false negative rate is very close to zero because PAID uses the sequence of return addresses on the user/kernel stack to uniquely identify each system call instance. Experiments on a fully operational PAID prototype show that PAID can indeed stop all known control hijacking attacks. The run-time latency and throughput penalty of PAID are under 13.02% and 11.52%, respectively, when it is tested against a set of production-mode network applications
Keywords :
computer crime; invasive software; program compilers; remote procedure calls; PAID compiler; automated system call policy-based intrusion prevention; control hijacking attacks; run-time latency; throughput penalty; Application software; Automata; Automatic control; Computer science; Delay; Intrusion detection; Kernel; Prototypes; Runtime; Throughput;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Dependable Systems and Networks, 2006. DSN 2006. International Conference on
Conference_Location :
Philadelphia, PA
Print_ISBN :
0-7695-2607-1
Type :
conf
DOI :
10.1109/DSN.2006.10
Filename :
1633530
Link To Document :
بازگشت