Skip to main content
SpringerLink
Log in

FloGuard: Cost-Aware Systemwide Intrusion Defense via Online Forensics and On-Demand IDS Deployment

  • Conference paper
Computer Safety, Reliability, and Security (SAFECOMP 2011)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6894))

Included in the following conference series:

Abstract

Detecting intrusions early enough can be a challenging and expensive endeavor. While intrusion detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of vulnerability exploitations that might actually exist for a given system is not cost-effective. In this paper, we present FloGuard, an on-line intrusion forensics and on-demand detector selection framework that provides systems with the ability to deploy the right detectors dynamically in a cost-effective manner when the system is threatened by an exploit. FloGuard relies on often easy-to-detect symptoms of attacks, e.g., participation in a botnet, and works backwards by iteratively deploying off-the-shelf detectors closer to the initial attack vector. The experiments using the EggDrop bot and systems with real vulnerabilities show that FloGuard can efficiently localize the attack origins even for unknown vulnerabilities, and can judiciously choose appropriate detectors to prevent them from being exploited in the future.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. HTTPTrafficGen (2008), http://www.nsauditor.com/

  2. John the Ripper (2008), http://www.openwall.com/john/

  3. RoomPHPlanning (2008), http://www.beaussier.com/

  4. e-Vision (2009), http://sourceforge.net/projects/e-vision/

  5. Zabbix (2010), http://www.zabbix.org/

  6. Anagnostakis, K., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.: Detecting targeted attacks using shadow honeypots. In: USENIX-Security, p. 9 (2005)

    Google Scholar 

  7. Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: USENIX-ATC, pp. 251–262 (2000)

    Google Scholar 

  8. Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX-ATC, p. 41 (2005)

    Google Scholar 

  9. Carrier, B.: File System Forensic Analysis. Addison-Wesley Prof., Reading (2005)

    Google Scholar 

  10. Costa, M., Castro, M., Zhou, L., Zhang, L., Peinado, M.: Bouncer: Securing software by blocking bad input. In: SOSP, pp. 117–130 (2007)

    Google Scholar 

  11. Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: SOSP, pp. 133–147 (2005)

    Google Scholar 

  12. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  13. Gao, Q., Zhang, W., Tang, Y., Qin, F.: First-aid: Surviving and preventing memory management bugs during production runs. In: EuroSys, pp. 159–172 (2009)

    Google Scholar 

  14. Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The taser intrusion recovery system. In: SOSP, pp. 163–176 (2005)

    Google Scholar 

  15. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: USENIX-Security, pp. 1–16 (2007)

    Google Scholar 

  16. King, S.T., Chen, P.M.: Backtracking intrusions. In: SOSP, vol. 37(5), pp. 223–236 (2003)

    Google Scholar 

  17. Kojm, T.: ClamAV (2009), http://www.clamav.net/

  18. Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: Efficient support for forensic analysis. In: CCS, pp. 50–60. ACM, New York (2010)

    Google Scholar 

  19. Lamport, L.: Time, clocks, and the ordering of events in a distributed system. ACM-Comm. 21(7), 558–565 (1978)

    Article  MATH  Google Scholar 

  20. Li, C., Jiang, W., Zou, X.: Botnet: Survey and case study. In: ICICIC, pp. 1184–1187 (2009)

    Google Scholar 

  21. Locasto, M., Wang, K., Keromytis, A.D., Stolfo, S.J.: FLIPS: Hybrid adaptive intrusion prevention. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 82–101. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  22. Mukkamala, S., Sung, A.H.: Identifying significant features for network forensic analysis using artificial intelligent techniques. IJDE, 1 (2003)

    Google Scholar 

  23. Nagaraja, S., Mittal, P., Yao Hong, C., Caesar, M., Borisov, N.: BotGrep: Finding P2P bots with structured graph analysis

    Google Scholar 

  24. Nethercote, N., Seward, J.: Valgrind: A program supervision framework. In: Runtime-Verification WS (2003)

    Google Scholar 

  25. Porras, P., Neumann, P.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: Proc. of the Info. Systems Security Conf., pp. 353–365 (1997)

    Google Scholar 

  26. Qin, F., Tucek, J., Sundaresan, J., Zhou, Y.: Rx: Treating bugs as allergies: A safe method to survive software failures. In: SOSP, pp. 235–248 (2005)

    Google Scholar 

  27. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: USENIX-LISA, pp. 229–238 (1999)

    Google Scholar 

  28. Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: NDSS, pp. 159–169 (2004)

    Google Scholar 

  29. Schneier, B.: Attack trees. Dr. Dobb’s Journal (1999)

    Google Scholar 

  30. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  31. Tucek, J., Newsome, J., Lu, S., Huang, C., Xanthos, S., Brumley, D., Zhou, Y., Song, D.: Sweeper: A lightweight end-to-end system for defending against fast worms. EuroSys 41(3), 115–128 (2007)

    Article  Google Scholar 

  32. Wotring, B., Potter, B., Ranum, M., Wichmann, R.: Host Integrity Monitoring Using Osiris and Samhain. Syngress Publishing (2005)

    Google Scholar 

  33. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: CCS, pp. 116–127 (2007)

    Google Scholar 

  34. Zonouz, S.A., Joshi, K.R., Sanders, W.H.: Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment. In: CCS-SafeConfig, pp. 71–74 (2010)

    Google Scholar 

  35. Zonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.: RRE: A game-theoretic intrusion Response and Recovery Engine. In: DSN, pp. 439–448 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Illinois, USA

    Saman Aliari Zonouz & William H. Sanders

  2. AT&T Labs Research, USA

    Kaustubh R. Joshi

Authors
  1. Saman Aliari Zonouz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kaustubh R. Joshi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. William H. Sanders
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Ansaldo STS, Via Argine, 425, 80147, Napoli, Italy

    Francesco Flammini

  2. Italian Association Critical Infrastructure (AIIC), Rome, Italy

    Sandro Bologna

  3. Dipartimento di Informatica e Sistemistica, Università di Napoli Federico II, Via Claudio, 21, Napoli, Italy

    Valeria Vittorini

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zonouz, S.A., Joshi, K.R., Sanders, W.H. (2011). FloGuard: Cost-Aware Systemwide Intrusion Defense via Online Forensics and On-Demand IDS Deployment. In: Flammini, F., Bologna, S., Vittorini, V. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2011. Lecture Notes in Computer Science, vol 6894. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24270-0_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-24270-0_25

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-24269-4

  • Online ISBN: 978-3-642-24270-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation