Transcript Intrusion Detection

Intrusion Detection
Ramiro Rodríguez
Advisor: Prof. Emin Gün Sirer
Threats

Applications are vulnerable to security
flaws
– E.g. buffer overflows, memory errors, etc.

Intruders can cause applications to
misbehave
– Cause the application to perform sequences
of steps that the programmer did not intend
Approach

Build a model of proper application
behavior by examining series of
system calls issued by an application

Detect when applications deviate
from this model
General Idea

Create a model of
what system calls a
program is able to
execute
 Check the allowable
system calls
 If a system is made by
the application and is
not in the model
suspend the
application and sound
an intruder alarm
Model

Build a call graph
 Nodes represent
addresses
 Edges are jumps
from one address
to another
Functioning

Training Phase
– System Call is
made
– If a new system call
is made from a new
address add the
node and edge to
the graph

Detection Phase
– System Call is made
– Obtain application Call
Graph
– Check if link exists
– If link exists call
original system call
– Else suspend
application and sound
alarm
Future Work
Make the graph describe the
parameters passed to the system call
as well as the system call
 Implement the system fully inside the
kernel to avoid other processes from
tampering with the loading process
