A Videoconference Research Seminar

Two Novel Approaches for Host-based Anomaly Detection
by Debin GAO

Abstract

As people rely more on computers, building and maintaining a secure computing environment becomes one of the most important research topics in computer science. However, many computer programs remain vulnerable, making intrusions to a computer relatively easy. Vulnerabilities like buffer overflows may permit an attacker to inject attack code, causing the vulnerable machine to run the attacker's program instead. Detecting such intrusions is critical in securing a computer system. This talk will cover two recently published gray-box anomaly detection techniques, Execution Graph and Behavioral Distance. Execution graph is the first system-call model that both requires no static analysis of program source or binary, and conforms to the control flow graph of the program. Behavioral distance detects intrusions by evaluating the extent to which two processes - potentially running different programs and executing on different platforms - behave similarly in response to a common input. These two new techniques, offering a very low false-positive rate and a very low false-negative rate, respectively, make gray-box anomaly detectors highly practical in intrusion detection.

About the speaker

Debin Gao is a systems software engineer in CyLab. Debin's research interests are in security and cryptography. Specific topics include intrusion detection and static analysis of binary executables. Debin has published papers in top security conferences, including USENIX Security, ACM Conference on Computer and Communications Security (CCS) and International Symposium on Recent Advances in Intrusion Detection (RAID). He received the Ann and Martin McGuinn Graduate Fellowship for the year 2005, and the Frank J. Marshall Graduate Fellowship for the year 2004. Debin received Ph.D. and M.S. in Electrical and Computer Engineering, Carnegie Mellon University in 2006 and 2004.