Abstract
Detecting intrusions early enough can be a challenging and expensive endeavor. While intrusion detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of vulnerability exploitations that might actually exist for a given system is not cost-effective. In this paper, we present FloGuard, an on-line intrusion forensics and on-demand detector selection framework that provides systems with the ability to deploy the right detectors dynamically in a cost-effective manner when the system is threatened by an exploit. FloGuard relies on often easy-to-detect symptoms of attacks, e.g., participation in a botnet, and works backwards by iteratively deploying off-the-shelf detectors closer to the initial attack vector. The experiments using the EggDrop bot and systems with real vulnerabilities show that FloGuard can efficiently localize the attack origins even for unknown vulnerabilities, and can judiciously choose appropriate detectors to prevent them from being exploited in the future.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
HTTPTrafficGen (2008), http://www.nsauditor.com/
John the Ripper (2008), http://www.openwall.com/john/
RoomPHPlanning (2008), http://www.beaussier.com/
e-Vision (2009), http://sourceforge.net/projects/e-vision/
Zabbix (2010), http://www.zabbix.org/
Anagnostakis, K., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.: Detecting targeted attacks using shadow honeypots. In: USENIX-Security, p. 9 (2005)
Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: USENIX-ATC, pp. 251–262 (2000)
Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX-ATC, p. 41 (2005)
Carrier, B.: File System Forensic Analysis. Addison-Wesley Prof., Reading (2005)
Costa, M., Castro, M., Zhou, L., Zhang, L., Peinado, M.: Bouncer: Securing software by blocking bad input. In: SOSP, pp. 117–130 (2007)
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: SOSP, pp. 133–147 (2005)
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)
Gao, Q., Zhang, W., Tang, Y., Qin, F.: First-aid: Surviving and preventing memory management bugs during production runs. In: EuroSys, pp. 159–172 (2009)
Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The taser intrusion recovery system. In: SOSP, pp. 163–176 (2005)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: USENIX-Security, pp. 1–16 (2007)
King, S.T., Chen, P.M.: Backtracking intrusions. In: SOSP, vol. 37(5), pp. 223–236 (2003)
Kojm, T.: ClamAV (2009), http://www.clamav.net/
Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: Efficient support for forensic analysis. In: CCS, pp. 50–60. ACM, New York (2010)
Lamport, L.: Time, clocks, and the ordering of events in a distributed system. ACM-Comm. 21(7), 558–565 (1978)
Li, C., Jiang, W., Zou, X.: Botnet: Survey and case study. In: ICICIC, pp. 1184–1187 (2009)
Locasto, M., Wang, K., Keromytis, A.D., Stolfo, S.J.: FLIPS: Hybrid adaptive intrusion prevention. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 82–101. Springer, Heidelberg (2006)
Mukkamala, S., Sung, A.H.: Identifying significant features for network forensic analysis using artificial intelligent techniques. IJDE, 1 (2003)
Nagaraja, S., Mittal, P., Yao Hong, C., Caesar, M., Borisov, N.: BotGrep: Finding P2P bots with structured graph analysis
Nethercote, N., Seward, J.: Valgrind: A program supervision framework. In: Runtime-Verification WS (2003)
Porras, P., Neumann, P.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: Proc. of the Info. Systems Security Conf., pp. 353–365 (1997)
Qin, F., Tucek, J., Sundaresan, J., Zhou, Y.: Rx: Treating bugs as allergies: A safe method to survive software failures. In: SOSP, pp. 235–248 (2005)
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: USENIX-LISA, pp. 229–238 (1999)
Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: NDSS, pp. 159–169 (2004)
Schneier, B.: Attack trees. Dr. Dobb’s Journal (1999)
Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)
Tucek, J., Newsome, J., Lu, S., Huang, C., Xanthos, S., Brumley, D., Zhou, Y., Song, D.: Sweeper: A lightweight end-to-end system for defending against fast worms. EuroSys 41(3), 115–128 (2007)
Wotring, B., Potter, B., Ranum, M., Wichmann, R.: Host Integrity Monitoring Using Osiris and Samhain. Syngress Publishing (2005)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: CCS, pp. 116–127 (2007)
Zonouz, S.A., Joshi, K.R., Sanders, W.H.: Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment. In: CCS-SafeConfig, pp. 71–74 (2010)
Zonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.: RRE: A game-theoretic intrusion Response and Recovery Engine. In: DSN, pp. 439–448 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zonouz, S.A., Joshi, K.R., Sanders, W.H. (2011). FloGuard: Cost-Aware Systemwide Intrusion Defense via Online Forensics and On-Demand IDS Deployment. In: Flammini, F., Bologna, S., Vittorini, V. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2011. Lecture Notes in Computer Science, vol 6894. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24270-0_25
Download citation
DOI: https://doi.org/10.1007/978-3-642-24270-0_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24269-4
Online ISBN: 978-3-642-24270-0
eBook Packages: Computer ScienceComputer Science (R0)