using static program analysis to aid intrusion detection
play

Using Static Program Analysis to Aid Intrusion Detection M. Egele - PowerPoint PPT Presentation

Mar 03, 2024 •142 likes •929 views

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

  1. Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment, 2006 M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  2. Motivation Analysis Evaluation Summary outline Motivation 1 Analysis 2 Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction Evaluation 3 How We Evaluated Our Results Results Analysis Results Comparison with Log Data M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  3. Motivation Analysis Evaluation Summary what we want to do and why PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  4. Motivation Analysis Evaluation Summary what we want to do and why PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  5. Motivation Analysis Evaluation Summary what we want to do and why PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  6. Motivation Analysis Evaluation Summary what we want to do and why PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  7. Motivation Analysis Evaluation Summary what we want to do and why PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  8. Motivation Analysis Evaluation Summary existing intrusion detection system MAID tries to characterize web-requests through different models: Learning based intrusion detection system developed at the Secure Systems Lab TU Vienna. models include parameter presence/absence model, structural inference, token finder models . . . No a priori knowledge of applications it protects learning is basically done via logfile analysis In some cases unnecessary imprecision leads to many false positives → this is what we want to improve M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  9. Motivation Analysis Evaluation Summary existing intrusion detection system MAID tries to characterize web-requests through different models: Learning based intrusion detection system developed at the Secure Systems Lab TU Vienna. models include parameter presence/absence model, structural inference, token finder models . . . No a priori knowledge of applications it protects learning is basically done via logfile analysis In some cases unnecessary imprecision leads to many false positives → this is what we want to improve M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  10. Motivation Analysis Evaluation Summary existing intrusion detection system MAID tries to characterize web-requests through different models: Learning based intrusion detection system developed at the Secure Systems Lab TU Vienna. models include parameter presence/absence model, structural inference, token finder models . . . No a priori knowledge of applications it protects learning is basically done via logfile analysis In some cases unnecessary imprecision leads to many false positives → this is what we want to improve M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  11. Motivation Analysis Evaluation Summary existing intrusion detection system MAID tries to characterize web-requests through different models: Learning based intrusion detection system developed at the Secure Systems Lab TU Vienna. models include parameter presence/absence model, structural inference, token finder models . . . No a priori knowledge of applications it protects learning is basically done via logfile analysis In some cases unnecessary imprecision leads to many false positives → this is what we want to improve M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  12. Mode of Operation Motivation Parse Application Sourcecode Analysis Find Parameter Entry Points Evaluation Parameter Name Extraction Summary Type Inference Value Extraction mode of operation Input: Parse Abstract Identify PHP File and Represen− Interesting Action performed Source File Includes tation Parameters parse the application Output: Link Track Variable source code Parameter Parameters Variable Type Info and Usage Values Inference M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  13. Mode of Operation Motivation Parse Application Sourcecode Analysis Find Parameter Entry Points Evaluation Parameter Name Extraction Summary Type Inference Value Extraction mode of operation Input: Parse Abstract Identify PHP File and Represen− Interesting Action performed Source File Includes tation Parameters identify the parameters the application Output: Link Track Variable accepts Parameter Parameters Variable Type Info and Usage Values Inference M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  14. Mode of Operation Motivation Parse Application Sourcecode Analysis Find Parameter Entry Points Evaluation Parameter Name Extraction Summary Type Inference Value Extraction mode of operation Input: Parse Abstract Identify PHP File and Represen− Interesting Source File Includes tation Parameters Action performed type inference on variables Output: Link Track Variable Parameter Parameters Variable Type Info and Usage Values Inference M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  15. Mode of Operation Motivation Parse Application Sourcecode Analysis Find Parameter Entry Points Evaluation Parameter Name Extraction Summary Type Inference Value Extraction mode of operation Input: Parse Abstract Identify PHP File and Represen− Interesting Source File Includes tation Parameters Action performed variables values are tracked Output: Link Track Variable Parameter Parameters Variable Type Info and Usage Values Inference M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  16. Mode of Operation Motivation Parse Application Sourcecode Analysis Find Parameter Entry Points Evaluation Parameter Name Extraction Summary Type Inference Value Extraction mode of operation Input: Parse Abstract Identify PHP File and Represen− Interesting Source File Includes tation Parameters Action performed parameter usage is examined Output: Link Track Variable Parameter Parameters Variable Type Info and Usage Values Inference M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

  17. Mode of Operation Motivation Parse Application Sourcecode Analysis Find Parameter Entry Points Evaluation Parameter Name Extraction Summary Type Inference Value Extraction parsing Original Zend language parser was used Includes are resolved (constant expressions) Variables and functions are identified M. Egele, M. Szydlowski, E. Kirda, C. Kruegel Using Static Program Analysis to Aid Intrusion Detection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in

Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in

Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson , Andreas Gal, and Michael Franz Secure Systems and Languages Laboratory Department of Computer Science

619 views • 27 slides
Enhancing interoperability and stateful analysis of cooperative netw ork intrusion detection

Enhancing interoperability and stateful analysis of cooperative netw ork intrusion detection

ANCS 2007, 3-4-December 2007 Enhancing interoperability and stateful analysis of cooperative netw ork intrusion detection system s Michele Colajanni, Daniele Gozzi and Mirco Marchetti Department of Information Engineering University of

398 views • 16 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Network Traffic Analysis and Intrusion Detection using Packet Sniffer Guanqun Wang Supervisor:

Network Traffic Analysis and Intrusion Detection using Packet Sniffer Guanqun Wang Supervisor:

Network Traffic Analysis and Intrusion Detection using Packet Sniffer Guanqun Wang Supervisor: Prof. Nirmalya Roy Introduction The paper is from 2010 Second International Conference on Communication Software and Networks; Basic

517 views • 15 slides
25% 75% Marketing

25% 75% Marketing

25% 75% Marketing & Vertrieb Requirement Engineers Entwicklung Test Betrieb Support Beratung (Audits, Piloten, Quality Control, Key Accounts, )

1.51k views • 68 slides
LASER: Light, Accurate Sharing dEtection and Repair Liang Luo, Akshitha Sriraman,

LASER: Light, Accurate Sharing dEtection and Repair Liang Luo, Akshitha Sriraman,

LASER: Light, Accurate Sharing dEtection and Repair Liang Luo, Akshitha Sriraman, Brooke Fugate, Shiliang Hu, Chris J Newburn, Gilles Pokam, Joseph DevieA Multicore is Eating the World

622 views • 24 slides
Short-baseline analysis techniques Zarko Pavlovic PhyStat-nu Fermilab 2016

Short-baseline analysis techniques Zarko Pavlovic PhyStat-nu Fermilab 2016

Short-baseline analysis techniques Zarko Pavlovic PhyStat-nu Fermilab 2016 Introduction Few short baseline experiments observed anomalous signals arXiv:1204.5379 Cant be reconciled with atmospheric

743 views • 31 slides
Accurate Polymorphism Detection Nevena Milojkovi Software Composition Group University of

Accurate Polymorphism Detection Nevena Milojkovi Software Composition Group University of

Accurate Polymorphism Detection Nevena Milojkovi Software Composition Group University of Bern Problem public static void main(String[] args){ AttributeFigure figure = new ComponentFigure(); figure.basicDisplayBox( point1, point2); }

292 views • 14 slides
Iterators Iterator Methods Iterator ix = x.iterator(); constructs and initializes an iterator to

Iterators Iterator Methods Iterator ix = x.iterator(); constructs and initializes an iterator to

Iterators Iterator Methods Iterator ix = x.iterator(); constructs and initializes an iterator to examine the elements of x; constructed iterator is assigned to ix An iterator permits you to examine the elements of a data structure one at a

451 views • 7 slides
Topic 24 More on Classes Classes Part II Classes are programmer defined data types In

Topic 24 More on Classes Classes Part II Classes are programmer defined data types In

Topic 24 More on Classes Classes Part II Classes are programmer defined data types In Java the primitives (int, char, double, "Object-oriented programming as it emerged boolean) are the core data types already in Simula 67 allows

215 views • 6 slides
Assurances vs. Capabilities as a Basis for Dispatch William Harrison Trinity College Dublin 1

Assurances vs. Capabilities as a Basis for Dispatch William Harrison Trinity College Dublin 1

Assurances vs. Capabilities as a Basis for Dispatch William Harrison Trinity College Dublin 1 The Problem The Problem: In common OO clients have to know where the implementation is. Several effects in client code: Syntactic distortion to

200 views • 7 slides
Infer A static analyzer for catching bugs before you ship Jules Villard jul@fb.com Facebook

Infer A static analyzer for catching bugs before you ship Jules Villard jul@fb.com Facebook

Infer A static analyzer for catching bugs before you ship Jules Villard jul@fb.com Facebook London github.com/facebook/infer/ Programming is Hard Need to think of ALL possible cases Keep track of all possible values If it can be null, it

1.09k views • 41 slides

More recommend