Execution monitoring of security-critical programs in distributed systems: a specification-based approach

22 November 2002

proceedings article
Published by Institute of Electrical and Electronics Engineers (IEEE)

p. 175-187
https://doi.org/10.1109/secpri.1997.601332

Abstract

We describe a specification-based approach to detect exploitations of vulnerabilities in security-critical programs. The approach utilizes security specifications that describe the intended behavior of programs and scans audit trails for operations that are in violation of the specifications. We developed a formal framework for specifying the security-relevant behavior of programs, on which we based the design and implementation of a real-time intrusion detection system for a distributed system. Also, we wrote security specifications for 15 Unix setuid root programs. Our system detects attacks caused by monitored programs, including security violations caused by improper synchronization in distributed programs. Our approach encompasses attacks that exploit previously unknown vulnerabilities in security-critical programs.

Keywords

This publication has 7 references indexed in Scilit:

Detection of anomalous computer session activity
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2003
USTAT: a real-time intrusion detection system for UNIX
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
A sense of self for Unix processes
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
Automated detection of vulnerabilities in privileged programs by execution monitoring
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
Heterogeneous Data Translations Based on Environment Grammars
IEEE Transactions on Software Engineering, 1989
An Intrusion-Detection Model
IEEE Transactions on Software Engineering, 1987
Time, clocks, and the ordering of events in a distributed system
Communications of the ACM, 1978

Cited by 120 articles