Compacting Security Signatures for PIGA IDS

Pascal Berthomé 1 Jérémy Briffaut 1 Pierre Clairet 1
1 SDS - Sécurité des Données et des Systèmes
LIFO - Laboratoire d'Informatique Fondamentale d'Orléans
Abstract : PIGA (Policy Interaction Graph Analysis) is a tool that detects malicious process behaviours by analysing the operating system activities. This tool uses signatures that represent illegal activities of some malicious user. These signatures are generated from a graph that models the performed operations at operating system (OS) level. For usual security properties, the number of signatures is large and they are stored in the memory during the detection process. In this paper, we present a way to reduce the memory required to store the signatures while preserving their quality. The methodology is derived from the modular decomposition of graphs. We investigate the impact of such an approach for the confidentiality property. The efficiency of the methodology is evaluated on interaction graphs of real operating systems. The number of signatures is divided by 20 for the tested confidentiality property
Complete list of metadatas

https://hal.archives-ouvertes.fr/hal-00770935
Contributor : Pascal Berthomé <>
Submitted on : Monday, January 7, 2013 - 4:49:52 PM
Last modification on : Thursday, October 24, 2019 - 1:45:01 AM

Identifiers

  • HAL Id : hal-00770935, version 1

Citation

Pascal Berthomé, Jérémy Briffaut, Pierre Clairet. Compacting Security Signatures for PIGA IDS. SECURWARE-2012, Aug 2012, Rome, Italy. pp.126--133. ⟨hal-00770935⟩

Share

Metrics

Record views

134