• DocumentCode
    1955028
  • Title

    Intrusion detection using signatures extracted from execution profiles

  • Author

    El-Ghali, Marwa ; Masri, Wes

  • Author_Institution
    Dept. of Electr. & Comput. Eng., American Univ. of Beirut, Beirut
  • fYear
    2009
  • fDate
    19-19 May 2009
  • Firstpage
    17
  • Lastpage
    24
  • Abstract
    An application based intrusion detection system is a security mechanism designed to detect malicious behavior that could compromise the security of a software application. Our aim is to develop such a system that operates on signatures extracted from execution profiles. These signatures are not descriptions of exploits, but instead are descriptions of the program conditions that lead to the exploitation of software vulnerabilities, i.e., they depend on the structure of the vulnerabilities themselves. A program vulnerability is generally induced by the execution of a combination of program statements. In this work we first analyze the execution profiles of a subject application in order to identify such suspicious combinations and consequently extract and define their corresponding signatures. Then, we insert probes in select locations in the application to enable online signature matching. To evaluate our technique, we implemented it for Java programs and applied it on Tomcat 3.0 in order to detect well-known attacks. Our results were promising, as no false negatives and a maximum of 4.5% false positives were observed, and the runtime overhead was less than 5%.
  • Keywords
    Java; digital signatures; program diagnostics; security of data; Java programs; Tomcat 3.0; execution profiles; intrusion detection system; malicious behavior; online signature matching; program analysis; program statements; security mechanism; signature extraction; software security; software vulnerability; Application software; Computer security; Computerized monitoring; Conferences; Databases; Intrusion detection; Java; Pattern matching; Probes; Runtime;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Software Engineering for Secure Systems, 2009. SESS '09. ICSE Workshop on
  • Conference_Location
    Vancouver, BC
  • Print_ISBN
    978-1-4244-3725-2
  • Type

    conf

  • DOI
    10.1109/IWSESS.2009.5068454
  • Filename
    5068454