This is a reminder that Jonathon Giffin will give a talk at the security
(and PL) seminar today.
4:00 pm, 1325 CS
Security Seminar
Jonathon Giffin, University of Wisconsin
"Efficient Context-Sensitive Intrusion Detection"
Model-based intrusion detection compares a process's execution against a
program model to detect intrusion attempts. Models constructed from
static program analysis have historically traded precision for
efficiency. In particular, precise models based upon pushdown automata
(PDA) are very inefficient to operate due to non-determinism in stack
activity. In this talk, I will describe a technique for determinizing
PDA models. I will introduce the concept of a stack-deterministic PDA
and will present the Dyck model, an implementation of such a PDA. The
Dyck model is the first efficient statically-constructed
context-sensitive model. Experiments demonstrate that it is an order of
magnitude more precise than a context-insensitive finite state machine
model. With null call squelching, a dynamic technique to bound cost, the
Dyck model operates in time similar to the context-insensitive model. I
will also present new static data-flow analyses, branch analysis and
argument dependency recovery, that manipulate data values known only at
run-time. Combined with a monitor that observes data values, these tech-
niques limit model exploration and system call arguments to further
thwart potential attacks.
Mihai
--
- mihai@xxxxxxxxxxx - http://www.cs.wisc.edu/~mihai -
-------------------------------------------------------
The man of knowledge must be able not only to love
his enemies but also to hate his friends.
- Friedrich Nietzsche
-------------------------------------------------------
-- Feed the machine that burns in your head. --
|