Repeating the Past - Experimental and Empirical Methods in System and Software Security
by Stephan Neuhaus

Saarland University, February 2008.

Download as PDF file.


I propose a new method of analyzing intrusions: instead of analyzing evidence and deducing what must have happened, I find the intrusion-causing circumstances by a series of automatic experiments. I first capture process system calls, and when an intrusion has been detected, I use these system calls to replay some of the captured processes in order to find the intrusion-causing processes - the cause-effect chain that led to the intrusion. I extend this approach to find also the inputs to those processes that cause the intrusion - the attack signature.
Intrusion analysis is a minimization problem - how to find a minimal set of circumstances that makes the intrusion happen. I develop several efficient minimization algorithms and show their theoretical properties, such as worst-case running times, as well as empirical evidence for a comparison of average running times.
Our evaluations show that the approach is correct and practical; it finds the 3 processes out of 32 that are responsible for a proof-of-concept attack in about 5 minutes, and it finds the 72 out of 168 processes in a large, complicated, and difficult to detect multi-stage attack involving Apache and suidperl in about 2.5 hours. I also extract attack signatures in proof-of-concept attacks in reasonable time.
I have also considered the problem of predicting before deployment which components in a software system are most likely to contain vulnerabilities. I present empirical evidence that vulnerabilities are connected to a component's imports. In a case study on Mozilla, I correctly predicted one half of all vulnerable components, while more than two thirds of our predictions were correct.

BibTeX Entry

    title = "Repeating the Past - Experimental and Empirical Methods in System and Software Security",
    author = "Stephan Neuhaus",
    year = "2008",
    month = feb,
    location = "Saarbruecken, Germany",
    school = "Saarland University",

Show all publications of the Software Engineering Chair.