Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers

Research Article

On Detection of Erratic Arguments

Download
268 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-31909-9_10,
        author={Jin Han and Qiang Yan and Robert Deng and Debin Gao},
        title={On Detection of Erratic Arguments},
        proceedings={Security and Privacy in Communication Networks. 7th International ICST Conference, SecureComm 2011, London, UK, September 7-9, 2011, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2012},
        month={10},
        keywords={Intrusion detection system call argument diversity},
        doi={10.1007/978-3-642-31909-9_10}
    }
    
  • Jin Han
    Qiang Yan
    Robert Deng
    Debin Gao
    Year: 2012
    On Detection of Erratic Arguments
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-642-31909-9_10
Jin Han1,*, Qiang Yan1,*, Robert Deng1,*, Debin Gao1,*
  • 1: Singapore Management University
*Contact email: jin.han.2007@smu.edu.sg, qiang.yan.2008@smu.edu.sg, robertdeng@smu.edu.sg, dbgao@smu.edu.sg

Abstract

Due to the erratic nature, the value of a function argument in one normal program execution could become illegal in another normal execution context. Attacks utilizing such erratic arguments are able to evade detections as fine-grained context information is unavailable in many existing detection schemes. In order to obtain such fine-grained context information, a precise model on the internal program states has to be built, which is impractical especially monitoring a closed source program alone. In this paper, we propose an intrusion detection scheme which builds on two diverse programs providing semantically-close functionality. Our model learns underlying semantic correlation of the argument values in these programs, and consequently gains more accurate context information compared to existing schemes. Through experiments, we show that such context information is effective in detecting attacks which manipulate erratic arguments with comparable false positive rates.