Abstract

Intrusion detection systems (IDS) are one way to tackle the increasing number of attacks that exploit software vulnerabilities. However, the construction of such a security system is a delicate process involving: (i) the acquisition of the monitored program behavior and its storage in a compact way, (ii) the generation of a monitor detecting deviances in the program behavior. These problems are emphasized when dealing with complex or parallel programs. This paper presents a new approach to automatically generate a dedicated and customized IDS from C sources targeting multi-threaded programs. We use Petri Nets to benefit from a formal description able to compactly describe parallel behaviors. Obtained models can then be enhanced with extra requirements such as resources usage limits or temporal execution bounds by means of observers. We illustrate the benefits of our approach on a recent class of attacks targeting web servers.