An Improved Reference Flow Control Model for Policy-Based Intrusion Detection

Abstract: Abstract. In this paper, we describe a novel approach to policy-based intrusion detection. The model we propose checks legality of information flows between objects in the system, according to an existing security policy specification. These flows are generated by executed system operations. Illegal flows, i.e., not authorized by the security policy, are signaled and considered as intrusion symptoms. This model is able to detect a large class of attacks, referred to as "attacks by delegation" in this paper. Si… Show more

“…More recently, Zimmerman et al proposed an intrusion detection model based on runtime enforcement of an information flow policy, which specifies which information flows are permissible in a given system [63,64]. Their model deals with information flows between entire objects, whereas our approach is based on fine-grained analysis that tracks flows involving object fields, local variables, global variables and array elements.…”

Algorithms and tool support for dynamic information flow analysis

“…More recently, Zimmerman et al proposed an intrusion detection model based on runtime enforcement of an information flow policy, which specifies which information flows are permissible in a given system [63,64]. Their model deals with information flows between entire objects, whereas our approach is based on fine-grained analysis that tracks flows involving object fields, local variables, global variables and array elements.…”

Algorithms and tool support for dynamic information flow analysis

“…Their approach detects integrity violating data flows. Zimmerman et al [32] propose a rule based approach that prevents any integrity violating data flow. Jaume et al [17] propose a dynamic label updating procedure that detects if there is any confidentiality violating data flow.…”

“…On the other hand, earlier approaches proposed in the literature [21,32,17] keep track of all the actions and maintain information relevant to these to eliminate unauthorized flows, and therefore are more expensive than our proposed approach. Moreover, while Mao et al [21] and Zimmerman et al [32] address the issue of integrity violation, Jaume et al [17] address the issue of confidentiality violation, however, none of them tackle both of these problems. This paper is organized as follows.…”

Preventing Unauthorized Data Flows

“…Zimmerman et al's (October 2003, November 2003) policybased model deals with information flows between entire objects. They assert that a finer-grained online analysis, which would involve analyzing: (1) data flows involving object fields and local variables and (2) control dependences, is unrealistic on a large-scale OS running third-party software (Zimmermann et al, October 2003). Our own prior work suggests that the higher overhead of fine-grained DIFA precludes its online application with processing-intensive applications (Masri, 2004).…”

“…Recently, Zimmerman et al (October 2003, November 2003 proposed an intrusion detection model based on runtime enforcement of an information flow policy, which specifies the information flows that are permissible in a given system. They argued that their model detects confidentiality and integrity violations more reliably than either signature matching systems or anomaly detection systems do, because it focuses on policy violations rather than on ancillary events.…”

Application-based anomaly intrusion detection with dynamic information flow analysis