A Sense of Self for Unix Processes - PowerPoint PPT Presentation

1 / 9
About This Presentation
Title:

A Sense of Self for Unix Processes

Description:

A Sense of Self for Unix Processes. Stephanie Forrest, ... A natural immune system doesn't have a catalog of all viruses that exist ... Infamous for many ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 10
Provided by: leejae
Category:

less

Transcript and Presenter's Notes

Title: A Sense of Self for Unix Processes


1
A Sense of Self for Unix Processes
  • Stephanie Forrest, Steven A. Hofmeyr,
  • Anil Somayaji and Thomas A. Longstaff
  • IEEE SP 1996

2
Introduction
  • A sense of self Immunology approach
  • The authors were inspired by natural immune
    systems
  • A natural immune system doesnt have a catalog of
    all viruses that exist in the world
  • They have a strong sense of self, allowing them
    to identify and attack non-self entities
  • The same thing is possible on the computer
    Computer immune systems
  • self normal behavior
  • non-self intrusion (attempts) or error
    conditions

3
Getting to know yourself anomaly detection
  • Find a metric that characterizes the system
  • Build up a database of normal values for that
    metric when the system is working as it should
  • Continually monitor the metric set off an alarm
    if it deviates from the database
  • Test the metric for false positives/negatives

4
Applying the method
  • First target application
  • sendmail
  • Privileged process
  • Sufficiently varied and complex
  • Infamous for many security holes
  • So, there are several documented attacks that can
    be used for testing
  • First metric ? System call traces
  • Normal database to be built up by recording
    sendmails behavior in a wide variety of everyday
    tasks (many types of messages)

5
Defining Self - System Call Traces
lt Sample system call sequence gt open, read, mmap,
mmap, open, getrlimit, mmap, close
read mmap mmap open
mmap mmap open getrlimit open getrlimit mmap
close getrlimit mmap close close
6
Database in training
7
The normal database
  • Using a window size of 6, running sendmail
    through its paces produced a database of only
    1500 entries and was stable
  • This is only 5 10-5 of all possible entries
  • The small size of the database is critical
  • Big database ? variability in normal ?
    difficulty in detecting anomalies
  • Big database ? no realtime monitoring

8
Results
Anomaly Num sunsendmailcp 4.1 95 syslog remo
te 1 4.2 470 remote 2 1.5 137 local
1 4.2 398 local 2 3.4 309 decode 0.3 24 lprcp
1.4 12 sm565a 0.4 36 sm5x 1.7 157 forward
loop 1.8 58
9
Discussion
  • Short sequences of system calls define a stable
    signature that can detect some common sources of
    anomalous behavior in sendmail
  • But it cant detect
  • Race condition attacks
  • Intrusions for an intruder using another users
    account
  • cf) Anomaly intrusion detection system using
    users profile can do it!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A Sense of Self for Unix Processes" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!