Zurich Research Laboratory
MATH & COMPUTER SCIENCE
Business optimization
Business process transformation
Systems management
Cryptography
Secure systems
Governance & security management
	Governance & compliance
	Intrusion & malware detection
		Billy Goat worm detection system
		Context-sensitive string evaluation
		E/M fraud
		Exorcist

Contact
	Andreas Wespi

Exorcist

Project overview

The goal of the Exorcist project (External Observer to Recognize Computer Intrusions using System Traces) is to create a viable, behavior-based intrusion detection system for defending computers against program misuse, which primarily takes the form of buffer overflow attacks, viruses and trojanization. The method we use is to monitor the system calls executed by the process to be defended. The stream of system calls is matched against a previously defined model of normal behavior.

The model of normal behavior is created by performing a static analysis on the binary executable of the program. This analysis results in the creation of a control flow graph, from which a non-deterministic finite automata (NFA) is created. This NFA represents all the possible sequences of system calls that can be executed by the program.

The analysis phase can be performed offline, and the resulting NFA stored for subsequent use during program execution. Every time a program executes a system call, it is matched against the corresponding NFA (if it exists) by a sensor built into the operating system. If a mismatch is detected (the execution of a system call that is not allowed in the current state of the NFA), an alarm is triggered.

This approach has the following main advantages:

· It does not depend on the existence and constant maintenance of accurate signatures for different attacks, and it does not require an extensive training phase. All the necessary information is extracted statically from the executable program.

· It does not depend on the availability of source code.

· It can detect previously unknown attacks.

· Matching against an NFA can be done efficiently, which avoids significantly reducing the performance of the programs.

The development of Exorcist also poses some interesting research and implementation problems, such as issues concerning handling indirect jumps and subroutine calls, algorithms used for simplification of the graphs, correct handling of signals, and dependency on platform- and library-specific aspects for the analysis phase.

The Exorcist sensor has been implemented as a patch to Linux v2.4.4, and is currently being tested for deployment. Future expected developments include porting to other operating systems (mainly Windows) and platforms, improvements in the algorithms used for the analysis and matching phases, and extensive accuracy and performance testing.