Software applications are routinely exposed to adversarial input that can manipulate the program structure to take malicious actions on behalf of the adversary. In an especially destructive class of attacks, the adversary gains enough control over the victim process to execute arbitrary code under the permissions and environment of the original program. Numerous defenses have been developed to prevent these attacks or limit their impact, but these approaches have significant limitations. Many require the application source to be compiled or modified by a hardening tool, while others focus on a specific subset of potential attacks. Intrusion detection systems make it possible to detect a much broader range of attacks and can block malicious inputs, but existing approaches rely on an input pattern matching approach that has become largely incompatible with today’s complex and dynamic applications.

The key idea behind introspective intrusion detection is that, while application interfaces grow increasingly dynamic, the control flow of normal execution within an application exhibits relatively little variation. By recording normal program behavior to a trusted profile, an introspective IDS can expose the pivotal steps of an attack where the adversary takes control of the execution. Two introspective IDS prototypes have been implemented and evaluated on several large and complex programs that are widely popular among today’s computer users. BlackBox monitors unmodified COTS binaries for x86 platforms at a runtime overhead of 14% on the SPEC CPU 2006 benchmarks. During normal (safe) usage of popular applications such as Google Chrome, Microsoft Office and Adobe PDF Reader, BlackBox reports less than 100 anomalies of low suspicion per hour, yet consistently detects known exploits against vulnerable applications. ZenIDS monitors PHP applications at a runtime overhead of less than 5% vs. an optimized LAMP stack while raising less than .01% false positives during a full year of live Internet traffic to applications built on industrial PHP frameworks such as WordPress and Symfony. More than 38,000 true alerts were raised during the year in response to real attacks on these deployed applications, and in controlled experiments ZenIDS consistently detected published exploits.