Showing papers by "Richard P. Lippmann published in 2007"

Generating a multiple-prerequisite attack graph

Abstract: In one aspect, a method to generate an attack graph includes determining if a potential node provides a first precondition equivalent to one of preconditions provided by a group of preexisting nodes on the attack graph. The group of preexisting nodes includes a first state node, a first vulnerability instance node, a first prerequisite node, and a second state node. The method also includes, if the first precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling a current node to a preexisting node providing the precondition equivalent to the first precondition using a first edge and if the first precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes, generating the potential node as a new node on the attack graph and coupling the new node to the current node using a second edge.

Coverage Maximization Using Dynamic Taint Tracing

Abstract: : We present COMET, a system that automatically assembles a test suite for a C program to improve line coverage, and give initial results for a prototype implementation. COMET works dynamically, running the program under a variety of instrumentations in a feedback loop that adds new inputs to an initial corpus with each iteration. One instrumentation in particular is crucial to the success of this approach: dynamic taint tracing. Inputs are labeled as tainted at the byte level and all read/write pairs in the program are augmented to track the flow of taint between memory objects. This allows COMET to determine from which bytes of which inputs the variables in conditions derive, thereby dramatically narrowing the search over inputs necessary to expose new code. On a test set of 13 example programs, COMET improves upon the level of coverage reached in random testing by an average of 23% relative, takes only about twice the time, and requires a tiny fraction of the number of inputs to do so.

Making Network Intrusion Detection Work With IPsec

Abstract: : Network-based intrusion detection systems (NIDSs) are one component of a comprehensive network security solution. The use of IPsec, which encrypts network traffic, renders network intrusion detection virtually useless unless traffic is decrypted at network gateways. One alternative to NIDSs, host-based intrusion detection systems (HIDSs), provides some of the functionality of NIDSs but with limitations. HIDSs cannot perform a network-wide analysis and can be subverted if a host is compromised. We propose an approach to intrusion detection that combines HIDS, NIDS, and a version of IPsec that encrypts the header and the body of IP packets separately. We refer to the latter generically as TwoKey IPsec. We show that all of the network events currently detectable by the Snort NIDS on un- encrypted network traffic are also detectable on encrypted network traffic using this approach. The NIDS detects network-level events that HIDSs have trouble detecting and HIDSs detect application-level events that can't be detected by the NIDS.

Tuning Intrusion Detection to Work with a Two Encryption Key Version of IPsec

Abstract: Network-based intrusion detection systems (NIDSs) are one component of a comprehensive network security solution. The use of IPsec, which encrypts network traffic, renders network intrusion detection virtually useless unless traffic is decrypted at network gateways. Host-based intrusion detection systems (HIDSs) can provide some of the functionality of NIDSs but with limitations. HIDSs cannot perform a network-wide analysis and can be subverted if a host is compromised. We propose an approach to intrusion detection that combines HIDS, NIDS, and a version of IPsec that encrypts the header and the body of IP packets separately ("Two-Zone IPsec"). We show that all of the network events currently detectable by the Snort NIDS on unencrypted network traffic are also detectable on encrypted network traffic using this approach. The NIDS detects network-level events that HIDSs have trouble detecting and HIDSs detect application-level events that can't be detected by the NIDS.

Recent advances in intrusion detection : 10th International Symposium, RAID 2007 Gold Coast, Australia, September 5-7, 2007 : proceedings

Abstract: Host-Based Intrusion Detection.- Exploiting Execution Context for the Detection of Anomalous System Calls.- Understanding Precision in Host Based Intrusion Detection.- Anomaly-Based Intrusion Detection.- Comparing Anomaly Detection Techniques for HTTP.- Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications.- Network-Based Intrusion Detection and Response.- Emulation-Based Detection of Non-self-contained Polymorphic Shellcode.- The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware.- Cost-Sensitive Intrusion Responses for Mobile Ad Hoc Networks.- Insider Detection and Alert Correlation.- elicit: A System for Detecting Insiders Who Violate Need-to-Know.- On the Use of Different Statistical Tests for Alert Correlation - Short Paper.- Malicious Code Analysis.- Automated Classification and Analysis of Internet Malware.- "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots.- A Forced Sampled Execution Approach to Kernel Rootkit Identification.- Evasion.- Advanced Allergy Attacks: Does a Corpus Really Help?.- Alert Verification Evasion Through Server Response Forging.- Malicious Code Defense.- Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs.- SpyShield: Preserving Privacy from Spy Add-Ons.- Vortex: Enabling Cooperative Selective Wormholing for Network Security Systems.