Enhancing System-Called-Based Intrusion Detection with Protocol Context

Abstract—Building an accurate program model is challenging but vital for the development of an effective hostbased intrusion detection system (IDS). The model should be designed to precisely reveal the intrinsic semantic logic of a program, which not only contains control-flows (e.g., system call sequences), but also data-flows as well as their interdependency. However, most existing intrusion detection models consider either control-flows or data-flows, but not both or their interweaved dependency, leading to inaccurate or incomplete program modeling. In this paper, we present a semantic flowbased model that seamlessly integrates control-flows, dataflows, as well as their inter-dependency, thus greatly improving the precision and completeness when modeling program behavior. More specifically, the semantic flow model describes program behavior in terms of basic semantic units, each of which semantically captures one essential aspect of a program’s behavior. The relationship among these semantic units can be further obtained by applying the protocol knowledge behind the (server) program. We show that the integrated semantic flow model enables earlier detection and prevention of many attacks than existing approaches.