Learning and Anomaly Detection Techniques
We are interested in anomaly-based intrusion detection techniques due to their ability to discover novel attacks. Anomaly detection techniques compute a model of normal behavior of systems by observing them, and detect deviations from this norm. We have tended to avoid heavy-weight machine learning techniques in this context, instead using our insight into the problem to develop simple models and algorithms that are robust and behave predictably. Examples include the use of automata models of program behavior [17], which provide a succint representation of system calls made by an application. We used efficient string-matching algorithms to further enhance these models so as to capture dataflow relationships [8]. The resulting models could not only be used for intrusion detection, but also to provide guarantees (when the model is followed) that certain security properties will be satisfied. Our network intrusion detection work has also relied on simple statistical models that represent network level behavior in terms of frequency distributions [15].
As another application of learning, we have explored the development of self-healing techniques for security. Inspired by biological immune systems that can "learn" to develop efficient defenses against a pathogen when exposed to it for the first time, we developed techniques that enable network servers to learn to develop effective responses against attacks [11, 10, 9]. These defenses take the form of filters that can be deployed on the network or on a host, and discard future recurrences of the attack, thereby preserving the integrity as well as the availability of the server.
A number of techniques in security (such as firewalls, sandboxing or SELinux) require the development of security policies, and this is a very challenging problem. To ease this problem, we have been developing techniques that can use learning to automate or assist policy development. Examples include the model-carrying code work [13], and more recently, information flow based integrity preservation [6], and secure software installation [64].
Related Publications
- [1] Lifting Assembly to Intermediate Representation: A Novel Approach Leveraging Compilers
- and
ACM Architectural Support for Programming Languages and Operating Systems (ASPLOS) April, 2016. - [2] Automatic Synthesis of Instruction Set Semantics
PhD Dissertation (Stony Brook University) July, 2015.- [3] Taint-Enhanced Anomaly Detection
- and
International Conference on Information Systems Security (ICISS) December, 2011. - [4] Practical Techniques for Regeneration and Immunization of COTS Applications
- , , , and
Workshop on Recent Advances on Intrusion-Tolerant Systems (WRAITS) June, 2009. - [5] Anomalous Taint Detection (Extended Abstract)
- and
Recent Advances in Intrusion Detection (RAID) September, 2008. (Full version available as Technical Report SECLAB08-06). - [6] Practical Proactive Integrity Preservation: A Basis for Malware Defense
- , , and
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2008. - [7] A Practical Mimicry Attack Against Powerful System-Call Monitors
- , and
ACM Symposium on Information, Computer and Communications Security (ASIACCS) March, 2008. (Supercedes Technical Report SECLAB07-01). - [8] Dataflow Anomaly Detection
- , and
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2006. (Supercedes Technical Report SECLAB-05-03 Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments, July 2005.). - [9] Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models
- and
Annual Computer Security Applications Conference (ACSAC) December, 2005. (Supercedes Technical Report SECLAB-05-01 An Immune System Inspired Approach for Protection from Repetitive Attacks, March 2005.). - [10] Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers
- and
ACM Conference on Computer and Communications Security (CCS) November, 2005. (Supercedes Technical Report SECLAB-05-02 Automated, Sub-second Attack Signature Generation: A Basis for Building Self-Protecting Servers, May 2005.). - [11] Automatic Synthesis of Filters to Discard Buffer Overflow Attacks: A Step Towards Realizing Self-Healing Systems (Short Paper)
- , and
USENIX Annual Technical Conference (USENIX) April, 2005. - [12] Using Predators to Combat Worms and Viruses: A Simulation-Based Study
- and
Annual Computer Security Applications Conference (ACSAC) December, 2004. - [13] Model-Carrying Code: A Practical Approach for Safe Execution of Untrusted Applications
- , , , and
ACM Symposium on Operating Systems Principles (SOSP) October, 2003. - [14] An Approach for Detecting Self-Propagating Email Using Anomaly Detection
- and
Recent Advances in Intrusion Detection (RAID) September, 2003. - [15] Specification-based anomaly detection: a new approach for detecting network intrusions
- , , , , , and
ACM Conference on Computer and Communications Security (CCS) October, 2002. - [16] Model-Carrying Code (MCC): A New Paradigm for Mobile-Code Security
- , , and
New Security Paradigms Workshop (NSPW) September, 2001. - [17] A Fast Automaton-Based~Method for Detecting Anomalous Program Behaviors
- , , and
IEEE Symposium on Security and Privacy (IEEE S&P) May, 2001. - [18] A High-Performance Network Intrusion Detection System
- , , and
ACM Conference on Computer and Communications Security (CCS) November, 1999.