Carla Marceau

Characterizing the behavior of a program using multiple-length N-grams

Abstract : Some recent advances in intrusion detection are based on detecting anomalies in program behavior, as characterized by the sequence of kernel calls the program makes. Specifically, traces of kernel calls are collected during a training period. The substrings of fixed length N (for some N) of those traces are called N-grams. The set of N-grams occurring during normal execution has been found to discriminate effectively between normal behavior of a program and the behavior of the program under attack. The N-gram characterization, while effective, requires the user to choose a suitable value for N. This paper presents an alternative characterization, as a finite state machine whose states represent predictive sequences of different lengths. An algorithm is presented to construct the finite state machine from training data, based on traditional string-processing data structures but employing some novel techniques.

Formal verification of Ada programs

The Penelope verification editor and its formal basis are described. Penelope is a prototype system for the interactive development and verification of programs that are written in a rich subset of sequential Ada. Because it generates verification conditions incrementally, Penelope can be used to develop a program and its correctness proof in concert. If an already-verified program is modified, one can attempt to prove the modified version by replaying and modifying the original sequence of proof steps. Verification conditions are generated by predicate transformers whose logical soundness can be proven by establishing a precise formal connection between predicate transformation and denotational definitions in the style of continuation semantics. Penelopes specification language, Larch/Ada, belongs to the family of Larch interface languages. It scales up properly, in the sense that one can demonstrate the soundness of decomposing an implementation hierarchically and reasoning locally about the implementation of each node in the hierarchy. >

Literate programming on a team project

We used literate programming on a team project to write a 33,000 line program for the Synthesizer Generator. The program, Penelope, was written using WEB, a tool designed for writing literate programs. Unlike other WEB programs, many of which have been written by WEBs developer or by individuals, Penelope was not intended to be published. We used WEB in the hope that both our team and its final product would benefit from the advantages often attributed to literate programming. The WEB source served as good internal documentation throughout development and maintenance, and it continues to document Penelopes design and implementation. Our experience also uncovered a number of problems with WEB.

A peer-to-peer architecture for secure data storage with query

Net-centric information systems such as the Air Forces Joint Battlespace Infosphere (JBI) require a secure, scalable, object repository to support the vision of a globally accessible, secure, distributed information “space.” Peer-to-peer (P2P) technology holds significant promise for these large-scale information repositories because of its demonstrated scalability and robustness. The development of a P2P object repository poses significant challenges: distributed query processing and security. This paper presents and discusses ORIS, a peer-to-peer object repository that not only stores objects but also supports database-type queries. The ORIS P2P technology ensures resilience and scalability and also employs secret sharing techniques and access control to ensure the confidentiality, integrity, and availability of objects even if a number of peers are physically or clandestinely compromised by an enemy attack. The Air Force Research Laboratory has developed the Distributed Information Enterprise Modeling and Simulation (DIEMS) framework that efficiently supports the modeling and simulation of large globally distributed computer networks. DIEMS has been used to model prototypes of the JBI and is currently being used to assess the system performance, scalability, and survivability of ORIS. Preliminary results indicate query performance to be acceptable given an adequate network configuration. We also present the results of this modeling and simulation assessment.

Pedigree management and assessment in a net-centric environment

Modern Defense strategy and execution is increasingly net-centric, making more information available more quickly. In this environment, the intelligence agent or warfighter must distinguish decision-quality information from potentially inaccurate, or even conflicting, pieces of information from multiple sources - often in time-critical situations. The Pedigree Management and Assessment Framework (PMAF) enables the publisher of information to record standard provenance metadata about the source, manner of collection, and the chain of modification of information as it passed through processing and/or assessment. In addition, the publisher can define and include other metadata relevant to quality assessment, such as domain-specific metadata about sensor accuracy or the organizational structure of agencies. PMAF stores this potentially enormous amount of metadata compactly and presents it to the user in an intuitive graphical format, together with PMAF-generated assessments that enable the user to quickly estimate information quality. PMAF has been created for a net-centric information management system; it can access pedigree information across communities of interest (COIs) and across network boundaries and will also be implemented in a Web Services environment.

Modular behavior profiles in systems with shared libraries (short paper)

Modern computing environments depend on extensive shared libraries. In this paper, we propose monitoring the calls between those libraries as a new source of data for host-based anomaly detection. That is, we characterize an application by its use of shared library functions and characterize each shared library function by its use of (lower-level) shared libraries. This approach to intrusion detection offers significant benefits, especially in systems such as Windows, much of which is implemented above the kernel as dynamically linked libraries (DLLs). It localizes anomalies to particular code modules, facilitating anomaly analysis and assessment and discouraging mimicry attacks. It reduces retraining after system updates and enables training concurrent with detection. The proposed approach can be used with various techniques for modeling call sequences, including N-grams, automata, and techniques that consider parameter values. To demonstrate its potential, we have studied how a DLL-level profiling IDS would detect two recent attacks on Windows systems.