On information flow for intrusion detection: What if accurate full-system dynamic information flow tracking was possible?

Mohammed I. Al-Saleh, Jedidiah R. Crandall

Research output: Chapter in Book/Report/Conference proceedingConference contribution

10 Scopus citations


Current intrusion detection systems (IDSes) fall into two very limiting categories: appearance-based or behavior-based. These rely on specifying good vs. bad behavior in terms of patterns in the malicious input or in the trace of execution during the attack. Some successful IDS systems have specified attacks in terms of information flow and the influences data sources have on the system, but only in very limited domains such as control data attacks, and typically using information flow tracking mechanisms customized to their purpose. Intrusion detection based on a general method for information flow tracking would allow for very explicit and general definitions of attacks that precluded entire categories of vulnerabilities and exploits, but our current methods for dynamic information flow tracking (DIFT) are inadequate to make this a reality. DIFT works by tagging (or tainting) data and tracking it to measure the information flow throughout the system. Existing DIFT systems have limited support for address and control dependencies, and therefore cannot track information flow within a full system, except in an ad-hoc, application-specific fashion. As a first step toward making information flow a new paradigm for intrusion detection, we present a prototype DIFT system that supports address and control dependencies in a general way. As a motivating example to demonstrate this system, we define an attack by the amount of control that external network entities have over what a networked system is doing. This coarse definition is not precise enough to detect attacks but serves as a demonstration of our approach to DIFT. We measure the amount of information flow between tainted sources and the control path of the CPU for a variety of scenarios and show that our prototype system gives intuitive, meaningful results.

Original languageEnglish (US)
Title of host publicationProceedings - New Security Paradigms Workshop 2010, NSPW 2010
Number of pages16
StatePublished - 2010
Externally publishedYes
EventNew Security Paradigms Workshop, NSPW 2010 - Concord, MA, United States
Duration: Sep 21 2010Sep 23 2010

Publication series

NameProceedings New Security Paradigms Workshop


ConferenceNew Security Paradigms Workshop, NSPW 2010
Country/TerritoryUnited States
CityConcord, MA


  • dynamic information flow tracking
  • intrusion detection
  • quantitative information flow

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Software
  • Information Systems


Dive into the research topics of 'On information flow for intrusion detection: What if accurate full-system dynamic information flow tracking was possible?'. Together they form a unique fingerprint.

Cite this