Our Approach (Contd.)

• Specify security-relevant behaviors as patterns over system call sequences

  • “process A does not open  any file except f1 before  a setuid operation”

• Specify responses to initiate when deviation is detected

  • prevent damage-causing action from execution
  • quarantine compromised program

• Compile specs to producea fast detection engine (DE)

C++ Compiler

Vulnerable Program (P)

Intended behavior of P (manuals/documents)

Attack advisories, etc.

ASL specification for P

ASL Compiler

C++ Class to monitor P

Detection Engine

Detection Engine Infrastructure

Previous slide

Next slide

Back to first slide

View graphic version