Stony Brook University Logo Department of Computer Science Stony Brook Search Button
Secure Systems Lab

Learning and Anomaly Detection Techniques

We are interested in anomaly-based intrusion detection techniques due to their ability to discover novel attacks. Anomaly detection techniques compute a model of normal behavior of systems by observing them, and detect deviations from this norm. We have tended to avoid heavy-weight machine learning techniques in this context, instead using our insight into the problem to develop simple models and algorithms that are robust and behave predictably. Examples include the use of automata models of program behavior  [17], which provide a succint representation of system calls made by an application. We used efficient string-matching algorithms to further enhance these models so as to capture dataflow relationships  [8]. The resulting models could not only be used for intrusion detection, but also to provide guarantees (when the model is followed) that certain security properties will be satisfied. Our network intrusion detection work has also relied on simple statistical models that represent network level behavior in terms of frequency distributions  [15].

As another application of learning, we have explored the development of self-healing techniques for security. Inspired by biological immune systems that can "learn" to develop efficient defenses against a pathogen when exposed to it for the first time, we developed techniques that enable network servers to learn to develop effective responses against attacks  [11, 10, 9]. These defenses take the form of filters that can be deployed on the network or on a host, and discard future recurrences of the attack, thereby preserving the integrity as well as the availability of the server.

A number of techniques in security (such as firewalls, sandboxing or SELinux) require the development of security policies, and this is a very challenging problem. To ease this problem, we have been developing techniques that can use learning to automate or assist policy development. Examples include the model-carrying code work  [13], and more recently, information flow based integrity preservation  [6], and secure software installation  [64].

Related Publications

[1]  Lifting Assembly to Intermediate Representation: A Novel Approach Leveraging Compilers
Niranjan Hasabnis and R. Sekar
ACM Architectural Support for Programming Languages and Operating Systems (ASPLOS) April, 2016.
[2]  Automatic Synthesis of Instruction Set Semantics
Niranjan Hasabnis
PhD Dissertation (Stony Brook University) July, 2015.
[3]  Taint-Enhanced Anomaly Detection
Lorenzo Cavallaro and R. Sekar
International Conference on Information Systems Security (ICISS) December, 2011.
[4]  Practical Techniques for Regeneration and Immunization of COTS Applications
Lixin Li, Mark R. Cornwell, E. Hultman, Jim Just and R. Sekar
Workshop on Recent Advances on Intrusion-Tolerant Systems (WRAITS) June, 2009.
[5]  Anomalous Taint Detection (Extended Abstract)
Lorenzo Cavallaro and R. Sekar
Recent Advances in Intrusion Detection (RAID) September, 2008. (Full version available as Technical Report SECLAB08-06).
[6]  Practical Proactive Integrity Preservation: A Basis for Malware Defense
Weiqing Sun, R. Sekar, Gaurav Poothia and Tejas Karandikar
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2008.
[7]  A Practical Mimicry Attack Against Powerful System-Call Monitors
Chetan Parampalli, R. Sekar and Rob Johnson
ACM Symposium on Information, Computer and Communications Security (ASIACCS) March, 2008. (Supercedes Technical Report SECLAB07-01).
[8]  Dataflow Anomaly Detection
Sandeep Bhatkar, Abhishek Chaturvedi and R. Sekar
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2006. (Supercedes Technical Report SECLAB-05-03 Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments, July 2005.).
[9]  Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models
Zhenkai Liang and R. Sekar
Annual Computer Security Applications Conference (ACSAC) December, 2005. (Supercedes Technical Report SECLAB-05-01 An Immune System Inspired Approach for Protection from Repetitive Attacks, March 2005.).
[10]  Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers
Zhenkai Liang and R. Sekar
ACM Conference on Computer and Communications Security (CCS) November, 2005. (Supercedes Technical Report SECLAB-05-02 Automated, Sub-second Attack Signature Generation: A Basis for Building Self-Protecting Servers, May 2005.).
[11]  Automatic Synthesis of Filters to Discard Buffer Overflow Attacks: A Step Towards Realizing Self-Healing Systems (Short Paper)
Zhenkai Liang, R. Sekar and Daniel DuVarney
USENIX Annual Technical Conference (USENIX) April, 2005.
[12]  Using Predators to Combat Worms and Viruses: A Simulation-Based Study
Ajay Gupta and Daniel DuVarney
Annual Computer Security Applications Conference (ACSAC) December, 2004.
[13]  Model-Carrying Code: A Practical Approach for Safe Execution of Untrusted Applications
R. Sekar, V.N. Venkatakrishnan, Samik Basu, Sandeep Bhatkar and Daniel DuVarney
ACM Symposium on Operating Systems Principles (SOSP) October, 2003.
[14]  An Approach for Detecting Self-Propagating Email Using Anomaly Detection
Ajay Gupta and R. Sekar
Recent Advances in Intrusion Detection (RAID) September, 2003.
[15]  Specification-based anomaly detection: a new approach for detecting network intrusions
R. Sekar, Ajay Gupta, James Frullo, Tushar Shanbhag, Abhishek Tiwari, Henglin Yang and Sheng Zhou
ACM Conference on Computer and Communications Security (CCS) October, 2002.
[16]  Model-Carrying Code (MCC): A New Paradigm for Mobile-Code Security
R. Sekar, C.R. Ramakrishnan, I.V. Ramakrishnan and Scott Smolka
New Security Paradigms Workshop (NSPW) September, 2001.
[17]  A Fast Automaton-Based~Method for Detecting Anomalous Program Behaviors
R. Sekar, Mugdha Bendre, Pradeep Bollineni and Dinakar Dhurjati
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2001.
[18]  A High-Performance Network Intrusion Detection System
R. Sekar, Guang Yang, Shobhit Verma and Tushar Shanbhag
ACM Conference on Computer and Communications Security (CCS) November, 1999.

Research Areas

Source-code analysis/transformation
Binary analysis/rewriting
Policy/Specification Languages
OS and Virtualization Techniques
Learning/anomaly detection
Formal methods/Foundations

Research Problems

Randomization/Memory Errors
Information flow analysis
Automated Exploit Defenses
Virtual Network Lab
Safe execution/attack recovery
Automated signature generation
Malware/Untrusted code defense
Intrusion/Anomaly detection
Fast packet matching
Policy generation tools

Local Search

Home Contact NSI Computer Science Stony Brook University

Copyright © 1999-2013 Secure Systems Laboratory, Stony Brook University. All rights reserved.