Taint-enhanced anomaly detection

Lorenzo Cavallaro; R. Sekar

doi:10.1007/978-3-642-25560-1_11

Taint-enhanced anomaly detection

Lorenzo Cavallaro
, R. Sekar

Computer Science

Stony Brook University

Vrije Universiteit Amsterdam

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

6 Scopus citations

Abstract

Anomaly detection has been popular for a long time due to its ability to detect novel attacks. However, its practical deployment has been limited due to false positives. Taint-based techniques, on the other hand, can avoid false positives for many common exploits (e.g., code or script injection), but their applicability to a broader range of attacks (non-control data attacks, path traversals, race condition attacks, and other unknown attacks) is limited by the need for accurate policies on the use of tainted data. In this paper, we develop a new approach that combines the strengths of these approaches. Our combination is very effective, detecting attack types that have been problematic for taint-based techniques, while significantly cutting down the false positives experienced by anomaly detection. The intuitive justification for this result is that a successful attack involves unusual program behaviors that are exercised by an attacker. Anomaly detection identifies unusual behaviors, while fine-grained taint can filter out behaviors that do not seem controlled by attacker-provided data.

Original language	English
Title of host publication	Information Systems Security - 7th International Conference, ICISS 2011, Proceedings
Pages	160-174
Number of pages	15
DOIs	https://doi.org/10.1007/978-3-642-25560-1_11
State	Published - 2011
Event	7th International Conference on Information Systems Security, ICISS 2011 - Kolkata, India Duration: Dec 15 2011 → Dec 19 2011

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7093 LNCS

Conference

Conference	7th International Conference on Information Systems Security, ICISS 2011
Country/Territory	India
City	Kolkata
Period	12/15/11 → 12/19/11

Access to Document

10.1007/978-3-642-25560-1_11

Cite this

@inproceedings{fe6a1ad8e9ac4c498acd0bab1aa3a8e6,

title = "Taint-enhanced anomaly detection",

abstract = "Anomaly detection has been popular for a long time due to its ability to detect novel attacks. However, its practical deployment has been limited due to false positives. Taint-based techniques, on the other hand, can avoid false positives for many common exploits (e.g., code or script injection), but their applicability to a broader range of attacks (non-control data attacks, path traversals, race condition attacks, and other unknown attacks) is limited by the need for accurate policies on the use of tainted data. In this paper, we develop a new approach that combines the strengths of these approaches. Our combination is very effective, detecting attack types that have been problematic for taint-based techniques, while significantly cutting down the false positives experienced by anomaly detection. The intuitive justification for this result is that a successful attack involves unusual program behaviors that are exercised by an attacker. Anomaly detection identifies unusual behaviors, while fine-grained taint can filter out behaviors that do not seem controlled by attacker-provided data.",

author = "Lorenzo Cavallaro and R. Sekar",

year = "2011",

doi = "10.1007/978-3-642-25560-1\_11",

language = "English",

isbn = "9783642255595",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "160--174",

booktitle = "Information Systems Security - 7th International Conference, ICISS 2011, Proceedings",

note = "7th International Conference on Information Systems Security, ICISS 2011 ; Conference date: 15-12-2011 Through 19-12-2011",

}

Cavallaro, L & Sekar, R 2011, Taint-enhanced anomaly detection. in Information Systems Security - 7th International Conference, ICISS 2011, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7093 LNCS, pp. 160-174, 7th International Conference on Information Systems Security, ICISS 2011, Kolkata, India, 12/15/11. https://doi.org/10.1007/978-3-642-25560-1_11

Taint-enhanced anomaly detection. / Cavallaro, Lorenzo; Sekar, R.
Information Systems Security - 7th International Conference, ICISS 2011, Proceedings. 2011. p. 160-174 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7093 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Taint-enhanced anomaly detection

AU - Cavallaro, Lorenzo

AU - Sekar, R.

PY - 2011

Y1 - 2011

N2 - Anomaly detection has been popular for a long time due to its ability to detect novel attacks. However, its practical deployment has been limited due to false positives. Taint-based techniques, on the other hand, can avoid false positives for many common exploits (e.g., code or script injection), but their applicability to a broader range of attacks (non-control data attacks, path traversals, race condition attacks, and other unknown attacks) is limited by the need for accurate policies on the use of tainted data. In this paper, we develop a new approach that combines the strengths of these approaches. Our combination is very effective, detecting attack types that have been problematic for taint-based techniques, while significantly cutting down the false positives experienced by anomaly detection. The intuitive justification for this result is that a successful attack involves unusual program behaviors that are exercised by an attacker. Anomaly detection identifies unusual behaviors, while fine-grained taint can filter out behaviors that do not seem controlled by attacker-provided data.

AB - Anomaly detection has been popular for a long time due to its ability to detect novel attacks. However, its practical deployment has been limited due to false positives. Taint-based techniques, on the other hand, can avoid false positives for many common exploits (e.g., code or script injection), but their applicability to a broader range of attacks (non-control data attacks, path traversals, race condition attacks, and other unknown attacks) is limited by the need for accurate policies on the use of tainted data. In this paper, we develop a new approach that combines the strengths of these approaches. Our combination is very effective, detecting attack types that have been problematic for taint-based techniques, while significantly cutting down the false positives experienced by anomaly detection. The intuitive justification for this result is that a successful attack involves unusual program behaviors that are exercised by an attacker. Anomaly detection identifies unusual behaviors, while fine-grained taint can filter out behaviors that do not seem controlled by attacker-provided data.

UR - https://www.scopus.com/pages/publications/81855169450

U2 - 10.1007/978-3-642-25560-1_11

DO - 10.1007/978-3-642-25560-1_11

M3 - Conference contribution

SN - 9783642255595

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 160

EP - 174

BT - Information Systems Security - 7th International Conference, ICISS 2011, Proceedings

T2 - 7th International Conference on Information Systems Security, ICISS 2011

Y2 - 15 December 2011 through 19 December 2011

ER -

Taint-enhanced anomaly detection

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this