Expressive, Efficient and Obfuscation Resilient Behavior Based IDS

Autor:	Andrey Dolgikh, Arnur G. Tokhtabayev, Victor A. Skormin
Rok vydání:	2010
Předmět:	Obfuscation (software) Computer science System call Formal specification Distributed computing Overhead (computing) Malware Activity diagram Intrusion detection system computer.software_genre computer Vulnerability (computing)
Zdroj:	Computer Security – ESORICS 2010 ISBN: 9783642154966 ESORICS
DOI:	10.1007/978-3-642-15497-3_42
Popis:	Behavior based intrusion detection systems (BIDS) offer the only effective solution against modern malware. While dynamic BIDS have obvious advantages, their success hinges upon three interrelated factors: signature expressiveness, vulnerability to behavioral obfuscation and run-time efficiency of signature matching. To achieve higher signature expressiveness, a new approach for formal specification of the malicious functionalities based on abstract activity diagrams (AD) which incorporate multiple realizations of the specified functionality. We analyzed both inter and intra-process behavioral obfuscation techniques that can compromise existing BIDS. As a solution, we proposed specification generalization that implies augmenting (generalizing) otherwise obfuscation prone specification into more generic, obfuscation resilient specification. We suggest colored Petri nets as a basis for functionality recognition at the system call level. We implemented a prototype IDS that has been evaluated on malicious and legitimate programs. The experimental results indicated extremely low false positives and negatives. Moreover, the IDS shows very low execution overhead and negligible overhead penalty due to anti-obfuscation generalization.
Databáze:	OpenAIRE
Externí odkaz:	https://explore.openaire.eu/search/publication?articleId=doi_________::6fe90e1ebeb335e39fd97cacc9a6cacc https://doi.org/10.1007/978-3-642-15497-3_42 Zobrazit plný text záznamu