Bridging the Gap between Data-Flow and Control-Flow Analysis for Anomaly Detection

Publication Type

Conference Proceeding Article

Publication Date

10-2008

Abstract

Host-based anomaly detectors monitor the control-flow and data-flow behavior of system calls to detect intrusions. Control-flow-based detectors monitor the sequence of system calls, while data-flow-based detectors monitor the data propagation among arguments of system calls. Besides pointing out that data-flow-based detectors can be layered on top of control-flow-based ones (or vice versa) to improve accuracy, there is a large gap between the two research directions in that research along one direction had been fairly isolated and had not made good use of results from the other direction. In this paper, we show how data-flow analysis can leverage results from control-flow analysis to learn more accurate and useful rules for anomaly detection. Our results show that the proposed control-flow-analysis-aided data-flow analysis reveals some accurate and useful rules that cannot be learned in prior data-flow analysis techniques. These relations among system call arguments and return values are useful in detecting many real attacks. A trace-driven evaluation shows that the proposed technique enjoys low false-alarm rates and overhead when implemented on a production server.

Keywords

system call argument, data-flow, control-flow, anomaly detection

Discipline

Information Security

Research Areas

Information Security and Trust

Publication

24th Annual Computer Security Applications Conference (ACSAC 2008)

Identifier

10.1109/ACSAC.2008.17

Publisher

IEEE

Additional URL

http://dx.doi.org/10.1109/ACSAC.2008.17

This document is currently not available here.

Share

COinS