| Network intrusion reconstruction has important applications in trusted software evolution and protection in unreliable/insecure environments as well as malware analysis. With modern intrusion's increasing complications, automated reconstruction of the dynamic intrusion model which is consistent with the intrusion mechanism is becoming particularly helpful to trusted software evolution and protection.Most of network intrusion models which are widly applied belong to the Static model, with the characters :Most are aimed at one special intrusion, like signature-match model.It needs to reconstruct new model for the Variants of the invasion. Most of intrusion signature are not context-sensitive, so can't present exactly about the complecated dynamic process of intruion. Without considering the behavior of the victims, most models' modeling processes are base on intrusion message stream which limits the intrusion characteristics into the session instances observed and makes it difficult to identify the similar intrusion behaviors. Those similar intrusion behaviors may have totally different message style while having the same attacking objective. While most of the practical intrusion diction models are built by hand-input of analyzers, it is important to develop accurate and effective automotive modeling technology, especially under the condition of rapid increasing ways of intrusion methods.This paper proposes an efficient method to reconstruct the general network intrusion model from transcripts and instruction traces recorded during the intrusion via decompilation, enhanced formal analysis and verification techniques. In contrast to most current works focused on exploit signature generation, our method precisely models context-sensitive relations among malicious messages to reflect the intrusion dynamics, which has practical efficiency and provable soundness. In addition to detailed theoretical analysis, the engineering evaluation and application are also briefly presented. |
PDF Full Text Request