Efficient Context-Sensitive Intrusion Detection Based on State Transition Table
Summary :
Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VPStatic model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (STT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STT model improves the space efficiency of the VPStatic model without decreasing its high precision and time efficiency. Experiments show that for three test programs, memory uses of our STT models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.
- Publication
- IEICE TRANSACTIONS on Fundamentals Vol.E94-A No.1 pp.255-264
- Publication Date
- 2011/01/01
- Publicized
- Online ISSN
- 1745-1337
- DOI
- 10.1587/transfun.E94.A.255
- Type of Manuscript
- Special Section PAPER (Special Section on Cryptography and Information Security)
- Category
- Network Security
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Jingyu HUA, Mingchu LI, Yizhi REN, Kouichi SAKURAI, "Efficient Context-Sensitive Intrusion Detection Based on State Transition Table" in IEICE TRANSACTIONS on Fundamentals,
vol. E94-A, no. 1, pp. 255-264, January 2011, doi: 10.1587/transfun.E94.A.255.
Abstract: Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VPStatic model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (STT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STT model improves the space efficiency of the VPStatic model without decreasing its high precision and time efficiency. Experiments show that for three test programs, memory uses of our STT models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E94.A.255/_p
Copy
@ARTICLE{e94-a_1_255,
author={Jingyu HUA, Mingchu LI, Yizhi REN, Kouichi SAKURAI, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Efficient Context-Sensitive Intrusion Detection Based on State Transition Table},
year={2011},
volume={E94-A},
number={1},
pages={255-264},
abstract={Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VPStatic model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (STT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STT model improves the space efficiency of the VPStatic model without decreasing its high precision and time efficiency. Experiments show that for three test programs, memory uses of our STT models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.},
keywords={},
doi={10.1587/transfun.E94.A.255},
ISSN={1745-1337},
month={January},}
Copy
TY - JOUR
TI - Efficient Context-Sensitive Intrusion Detection Based on State Transition Table
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 255
EP - 264
AU - Jingyu HUA
AU - Mingchu LI
AU - Yizhi REN
AU - Kouichi SAKURAI
PY - 2011
DO - 10.1587/transfun.E94.A.255
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E94-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2011
AB - Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VPStatic model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (STT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STT model improves the space efficiency of the VPStatic model without decreasing its high precision and time efficiency. Experiments show that for three test programs, memory uses of our STT models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.
ER -
English
