Hits:

Indexed by:期刊论文

Date of Publication:2011-01-01

Journal:IEICE TRANSACTIONS ON FUNDAMENTALS OF ELECTRONICS COMMUNICATIONS AND COMPUTER SCIENCES

Included Journals:SCIE

Volume:E94A

Issue:1

Page Number:255-264

ISSN No.:1745-1337

Key Words:intrusion detection; state transition table; static analysis; stack walks

Abstract:Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VPStatic model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (STT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STT model improves the space efficiency of the VPStatic model without decreasing its high precision and time efficiency. Experiments show that for three test programs, memory uses of our STT models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.