Please use this identifier to cite or link to this item:
|Title:||Improving host-based IDS with argument abstraction to prevent mimicry attacks||Authors:||Sufatrio
|Issue Date:||2006||Citation:||Sufatrio, Yap, R.H.C. (2006). Improving host-based IDS with argument abstraction to prevent mimicry attacks. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 3858 LNCS : 146-164. ScholarBank@NUS Repository. https://doi.org/10.1007/11663812_8||Abstract:||A popular class of host-based Intrusion Detection Systems (IDS) are those based on comparing thesystem call trace of a process against a set of fc-grams. However, the detection mechanism in such IDS can be evaded by cloaking an attack as a mimicry attack. In this paper, we give an algorithm that transforms a detectable attack into a mimicry attack. We demonstrate on a number of examples that using this algorithm, mimicry attacks can be easily constructed on self-based IDS with a set of k-grams and also a more precise graph profile representation. We enhance the IDS by making use of the system call arguments and process credentials. To avoid increasing the false positives, a supplied specification is used to abstract the system call arguments and process credentials. The specification takes into account what objects in the system that can be sensitive to potential attacks, and highlights the occurrence of "dangerous" operations. With this simple extension, we show that the robustness of the IDS is increased. Our preliminary experiments show that on our example programs and attacks, it was no longer possible to construct mimicry attacks. We also demonstrate that the enhanced IDS provides resistance to a variety of common attack strategies. © Springer-Verlag Berlin Heidelberg 2006.||Source Title:||Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)||URI:||http://scholarbank.nus.edu.sg/handle/10635/43160||ISBN:||3540317783||ISSN:||03029743||DOI:||10.1007/11663812_8|
|Appears in Collections:||Staff Publications|
Show full item record
Files in This Item:
There are no files associated with this item.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.