Proceedings of the Linux Symposium

Abstract

Host-based Intrusion Detection Systems traditionally compare observable data to pre-constructed models of normal behavior. Such models can either be automati- cally learnt during a training session, or manually writ- ten by the user. Alas, the former technique suffers from false positives, and therefore repeatedly requires user in- tervention, while the latter technique is tedious and de- manding. In this paper we discuss how static analysis can be used to automatically construct a model of application behavior. We show that the derived model can pre- vent future or unknown code injection attacks (such as buffer overflows) with guaranteed zero false alarms. We present Korset, a Linux prototype that implements this approach, and focus on its Kernel implementation and performance.