Faculty Candidate: Jonathon T. Giffin/University of Wisconsin-Madison Two Sides of Intrusion Detection: Strengthening and Attacking Model-Based Detectors in ACES 2.302

Contact Name: 
Jenna Whitney
Mar 9, 2006 11:00am - 12:00pm

There is a signup schedule for th

is event.

Speaker Name/Affiliation: Jonathon T. Giffin/University o

f Wisconsin-Madison Computer Sciences Department

Talk Title: Two S

ides of Intrusion Detection: Strengthening and Attacking Model-Based Detect


Date/Time: March 9 2006 at 11:00 a.m.

Coffee: 10:45 a.m


Location: ACES 2.302

Host: Vitaly Shmatikov

Talk A

Model-based anomaly detectors discover computer system attacks

that cause malicious process execution. The detectors verify
calls invoked by a process against a model of expected
behavior. Execu

tion that deviates from the model indicates
that the process is under a

n attacker''s control. Existing
model-based detectors produce false ala

rms require manual
effort cause significant performance degradation

and miss
attacks masked as normal execution. I will present a strong <

br>usable intrusion detection system that addresses
many of these defici


I eliminate false positives and the need for manual work
by automatically extracting models using static binary program

s. Statically-constructed models historically traded
accuracy for dete

ction speed. I will show that my Dyck model
a new stack-deterministic

push-down automaton eliminates
the trade-off by reducing the complexit

y of accurate model
enforcement from cubic time to linear time. The Dyc

k model
pushes model-based detection into the realm of real-world


I then evaluate the ability of a program model to detect

intrusions. I find undetected attacks: malicious system
call seque

nces erroneously allowed by a model as valid execution.
Using model-che

cking I automatically discover attacks previously
found only with manu

al inspection of a program model. These
undetected attacks demonstrate<

br>deficiencies of model-based detection that future research
will need
to address.