Intrusion Detection
Download
Report
Transcript Intrusion Detection
Intrusion Detection
Ramiro Rodríguez
Advisor: Prof. Emin Gün Sirer
Threats
Applications are vulnerable to security
flaws
– E.g. buffer overflows, memory errors, etc.
Intruders can cause applications to
misbehave
– Cause the application to perform sequences
of steps that the programmer did not intend
Approach
Build a model of proper application
behavior by examining series of
system calls issued by an application
Detect when applications deviate
from this model
General Idea
Create a model of
what system calls a
program is able to
execute
Check the allowable
system calls
If a system is made by
the application and is
not in the model
suspend the
application and sound
an intruder alarm
Model
Build a call graph
Nodes represent
addresses
Edges are jumps
from one address
to another
Functioning
Training Phase
– System Call is
made
– If a new system call
is made from a new
address add the
node and edge to
the graph
Detection Phase
– System Call is made
– Obtain application Call
Graph
– Check if link exists
– If link exists call
original system call
– Else suspend
application and sound
alarm
Future Work
Make the graph describe the
parameters passed to the system call
as well as the system call
Implement the system fully inside the
kernel to avoid other processes from
tampering with the loading process