Date Added: Jan 2011
Model-based intrusion detection compares a process's execution against a program model to detect intrusion attempts. Models constructed from static program analysis have historically traded precision for efficiency. The authors address this problem with the Dyck model, the first efficient statically-constructed context-sensitive model. This model species both the correct sequences of system calls that a program can generate and the stack changes occurring at function call sites. Experiments demonstrate that the Dyck model is an order of magnitude more precise than a context-insensitive finite state machine model. With null call squelching, a dynamic technique to bound cost, the Dyck model operates in time similar to the context-insensitive model. They also present two static analysis techniques designed to counter mimicry and evasion attacks.