Enhancing System-Called-Based Intrusion Detection With Protocol Context
Building an accurate program model is challenging but vital for the development of an effective host-based Intrusion Detection System (IDS). The model should be designed to precisely reveal the intrinsic semantic logic of a program, which not only contains control-flows (e.g., system call sequences), but also data-flows as well as their interdependency. However, most existing intrusion detection models consider either control-flows or data-flows, but not both or their interweaved dependency, leading to inaccurate or incomplete program modeling. In this paper, the authors present a semantic flow-based model that seamlessly integrates control-flows, dataflows, as well as their inter-dependency, thus greatly improving the precision and completeness when modeling program behavior.