Intrusion detection via static analysis

D. Wagner, R. Dean
Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001  
One of the primary challenges in intrusion detection is modelling typical application behavior, so that we can recognize attacks by their atypical effects without raising too many false alarms. We show how static analysis may be used to automatically derive a model of application behavior. The result is a host-based intrusion detection system with three advantages: a high degree of automation, protection against a broad class of attacks based on corrupted code, and the elimination of false
more » ... s. We report on our experience with a prototype implementation of this technique. 0-7695-1046-9(C) 2001 IEEE Ko et al., and others have proposed a very natural solution to this problem: every program should come with a specification of its intended behavior [21, 19, 22, 29] . This, of course, has been the dream of the formal methods community for 25 years, and is as yet unrealized. We believe it is likely to remain unrealized for some time to come. Although Ko et al.'s specification language is simple and admits relatively compact specifications, we believe that the need for manually written specifications will dramatically limit the impact of this work 1 . We philosophically agree with the direction of Ko et al.'s work, but we propose to side-step its main drawback by automatically deriving the specification from the program.
doi:10.1109/secpri.2001.924296 dblp:conf/sp/WagnerD01 fatcat:esatk6vhtjbwjhsvnakx42fcra