Efficient intrusion detection based on static analysis and stack walks

Jingyu Hua, Mingchu Li, Kouichi Sakurai, Yizhi Ren

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic's. Thereby, we alleviate the conflict between precision and efficiency.

Original languageEnglish
Title of host publicationAdvances in Information and Computer Security - 4th International Workshop on Security, IWSEC 2009, Proceedings
Pages158-173
Number of pages16
DOIs
Publication statusPublished - Dec 1 2009
Event4th International Workshop on Security, IWSEC 2009 - Toyama, Japan
Duration: Oct 28 2009Oct 30 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5824 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other4th International Workshop on Security, IWSEC 2009
CountryJapan
CityToyama
Period10/28/0910/30/09

Fingerprint

Static analysis
Intrusion detection
Intrusion Detection
Static Analysis
Walk
State Transition
Table
Data storage equipment
Model
Pushdown Automata
Program Analysis
Space Complexity
False Alarm
Automata
Monitoring
Model-based
Costs
Demonstrate
Experiment

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Hua, J., Li, M., Sakurai, K., & Ren, Y. (2009). Efficient intrusion detection based on static analysis and stack walks. In Advances in Information and Computer Security - 4th International Workshop on Security, IWSEC 2009, Proceedings (pp. 158-173). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5824 LNCS). https://doi.org/10.1007/978-3-642-04846-3_11

Efficient intrusion detection based on static analysis and stack walks. / Hua, Jingyu; Li, Mingchu; Sakurai, Kouichi; Ren, Yizhi.

Advances in Information and Computer Security - 4th International Workshop on Security, IWSEC 2009, Proceedings. 2009. p. 158-173 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5824 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Hua, J, Li, M, Sakurai, K & Ren, Y 2009, Efficient intrusion detection based on static analysis and stack walks. in Advances in Information and Computer Security - 4th International Workshop on Security, IWSEC 2009, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5824 LNCS, pp. 158-173, 4th International Workshop on Security, IWSEC 2009, Toyama, Japan, 10/28/09. https://doi.org/10.1007/978-3-642-04846-3_11
Hua J, Li M, Sakurai K, Ren Y. Efficient intrusion detection based on static analysis and stack walks. In Advances in Information and Computer Security - 4th International Workshop on Security, IWSEC 2009, Proceedings. 2009. p. 158-173. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-04846-3_11
Hua, Jingyu ; Li, Mingchu ; Sakurai, Kouichi ; Ren, Yizhi. / Efficient intrusion detection based on static analysis and stack walks. Advances in Information and Computer Security - 4th International Workshop on Security, IWSEC 2009, Proceedings. 2009. pp. 158-173 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{29c6da10c3b34c2e8a93e92661437702,
title = "Efficient intrusion detection based on static analysis and stack walks",
abstract = "Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic's. Thereby, we alleviate the conflict between precision and efficiency.",
author = "Jingyu Hua and Mingchu Li and Kouichi Sakurai and Yizhi Ren",
year = "2009",
month = "12",
day = "1",
doi = "10.1007/978-3-642-04846-3_11",
language = "English",
isbn = "3642048455",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "158--173",
booktitle = "Advances in Information and Computer Security - 4th International Workshop on Security, IWSEC 2009, Proceedings",

}

TY - GEN

T1 - Efficient intrusion detection based on static analysis and stack walks

AU - Hua, Jingyu

AU - Li, Mingchu

AU - Sakurai, Kouichi

AU - Ren, Yizhi

PY - 2009/12/1

Y1 - 2009/12/1

N2 - Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic's. Thereby, we alleviate the conflict between precision and efficiency.

AB - Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic's. Thereby, we alleviate the conflict between precision and efficiency.

UR - http://www.scopus.com/inward/record.url?scp=77956321389&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77956321389&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-04846-3_11

DO - 10.1007/978-3-642-04846-3_11

M3 - Conference contribution

AN - SCOPUS:77956321389

SN - 3642048455

SN - 9783642048456

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 158

EP - 173

BT - Advances in Information and Computer Security - 4th International Workshop on Security, IWSEC 2009, Proceedings

ER -