Theses and Dissertations
Combining Static Analysis and Dynamic Learning to Build Context Sensitive Models of Program Behavior
Issuing Body
Mississippi State University
Advisor
Bridges, Susan M.
Committee Member
Hodges, Julia E.
Committee Member
Vaughn, Rayford B.
Committee Member
Hansen, Eric A.
Committee Member
Dandass, Yoginder S.
Date of Degree
12-10-2005
Document Type
Dissertation - Open Access
Major
Computer Science
Degree Name
Doctor of Philosophy
College
James Worth Bagley College of Engineering
Department
Department of Computer Science and Engineering
Abstract
This dissertation describes a family of models of program behavior, the Hybrid Push Down Automata (HPDA) that can be acquired using a combination of static analysis and dynamic learning in order to take advantage of the strengths of both. Static analysis is used to acquire a base model of all behavior defined in the binary source code. Dynamic learning from audit data is used to supplement the base model to provide a model that exactly follows the definition in the executable but that includes legal behavior determined at runtime. Our model is similar to the VPStatic model proposed by Feng, Giffin, et al., but with different assumptions and organization. Return address information extracted from the program call stack and system call information are used to build the model. Dynamic learning alone or a combination of static analysis and dynamic learning can be used to acquire the model. We have shown that a new dynamic learning algorithm based on the assumption of a single entry point and exit point for each function can yield models of increased generality and can help reduce the false positive rate. Previous approaches based on static analysis typically work only with statically linked programs. We have developed a new component-based model and learning algorithm that builds separate models for dynamic libraries used in a program allowing the models to be shared by different program models. Sharing of models reduces memory usage when several programs are monitored, promotes reuse of library models, and simplifies model maintenance when the system updates dynamic libraries. Experiments demonstrate that the prototype detection system built with the HPDA approach has a performance overhead of less than 6% and can be used with complex real-world applications. When compared to other detection systems based on analysis of operating system calls, the HPDA approach is shown to converge faster during learning, to detect attacks that escape other detection systems, and to have a lower false positive rate.
URI
https://hdl.handle.net/11668/19171
Recommended Citation
Liu, Zhen, "Combining Static Analysis and Dynamic Learning to Build Context Sensitive Models of Program Behavior" (2005). Theses and Dissertations. 1088.
https://scholarsjunction.msstate.edu/td/1088