Monitoring Instruction-based Intrusion Detection and Self-healing System

Anomaly-based Intrusion Prevention Systems (IPSs) currently protect systems from zero-day attacks. However, since they either only inform administrators about the intrusions and/or just stop services or systems, they cannot stably continue services until the vulnerabilities are fixed by security patches. So self-healing systems (SHSs) are needed because they continue to safely execute services even if the applications have vulnerabilities. However since most SHSs rely on execution flows, e.g., system-call and library-function sequences, these systems cannot recover from non-controldata attacks. Such attacks target data that are not related with execution flow: user inputs, configuration data, etc. In this paper, we propose a novel SHS named RIN, Reactive INstruction-level recovery system, that uses instruction level rules for detection and recovery. RIN detects the falsifications of most data used in target applications and repairs them. We implemented RIN and evaluated it. The results show that it has sufficient functionality to find and fix the vulnerabilities for a function pointer and non-control-data.