TY - GEN
T1 - Efficient intrusion detection based on static analysis and stack walks
AU - Hua, Jingyu
AU - Li, Mingchu
AU - Sakurai, Kouichi
AU - Ren, Yizhi
PY - 2009
Y1 - 2009
N2 - Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic's. Thereby, we alleviate the conflict between precision and efficiency.
AB - Some intrusion detection models such as the VPStatic first construct a behavior model for a program via static analysis, and then perform intrusion detection by monitoring whether its execution is consistent with this behavior model. These models usually share the highly desirable feature that they do not produce false alarms but they face the conflict between precision and efficiency. The high precision of the VPStatic is at the cost of high space complexity. In this paper, we propose a new context-sensitive intrusion detection model based on static analysis and stack walks, which is similar to VPStatic but much more efficient, especially in memory use. We replace the automaton in the VPStatic with a state transition table (STT) and all redundant states and transitions in VPStatic are eliminated. We prove that our STT model is a deterministic pushdown automaton (DPDA) and the precision is the same as the VPStatic. Experiments also demonstrate that our STT model reduces both time and memory costs comparing with the VPStatic, in particular, memory overheads are less than half of the VPStatic's. Thereby, we alleviate the conflict between precision and efficiency.
UR - http://www.scopus.com/inward/record.url?scp=77956321389&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77956321389&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-04846-3_11
DO - 10.1007/978-3-642-04846-3_11
M3 - Conference contribution
AN - SCOPUS:77956321389
SN - 3642048455
SN - 9783642048456
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 158
EP - 173
BT - Advances in Information and Computer Security - 4th International Workshop on Security, IWSEC 2009, Proceedings
T2 - 4th International Workshop on Security, IWSEC 2009
Y2 - 28 October 2009 through 30 October 2009
ER -