Please use this identifier to cite or link to this item: https://doi.org/10.1007/11663812_8
Title: Improving host-based IDS with argument abstraction to prevent mimicry attacks
Authors: Sufatrio 
Yap, R.H.C. 
Issue Date: 2006
Citation: Sufatrio, Yap, R.H.C. (2006). Improving host-based IDS with argument abstraction to prevent mimicry attacks. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 3858 LNCS : 146-164. ScholarBank@NUS Repository. https://doi.org/10.1007/11663812_8
Abstract: A popular class of host-based Intrusion Detection Systems (IDS) are those based on comparing thesystem call trace of a process against a set of fc-grams. However, the detection mechanism in such IDS can be evaded by cloaking an attack as a mimicry attack. In this paper, we give an algorithm that transforms a detectable attack into a mimicry attack. We demonstrate on a number of examples that using this algorithm, mimicry attacks can be easily constructed on self-based IDS with a set of k-grams and also a more precise graph profile representation. We enhance the IDS by making use of the system call arguments and process credentials. To avoid increasing the false positives, a supplied specification is used to abstract the system call arguments and process credentials. The specification takes into account what objects in the system that can be sensitive to potential attacks, and highlights the occurrence of "dangerous" operations. With this simple extension, we show that the robustness of the IDS is increased. Our preliminary experiments show that on our example programs and attacks, it was no longer possible to construct mimicry attacks. We also demonstrate that the enhanced IDS provides resistance to a variety of common attack strategies. © Springer-Verlag Berlin Heidelberg 2006.
Source Title: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
URI: http://scholarbank.nus.edu.sg/handle/10635/43160
ISBN: 3540317783
ISSN: 03029743
DOI: 10.1007/11663812_8
Appears in Collections:Staff Publications

Show full item record
Files in This Item:
There are no files associated with this item.

Google ScholarTM

Check

Altmetric


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.