This proposal details an ambitious effort to develop Smart Host-Based Intrusion Detection System (SHIDS). The SHIDS supports self-healing, self-monitoring, self-diagnosing, self-hardening, and self-recovering network architecture after corruption by an attack by automatically creating malware fingerprints and alert messages to protect against variants of known threats as well as possible zero day attacks. SHIDS utilizes hooking technique to collect binary behavior at the instruction level without requiring source code change. It employs rule-based, behavior-based, and a combination of both detectors to reliably identify zero-day malware as well as polymorphic worms and generates malware fingerprints. SHIDS includes mechanisms to avoid discovery of the SHIDS by attackers, and responds robustly to attempts to circumvent detection by the SHIDS such as polymorphism, encryption of collected data, hiding exploits in large volumes of system calls, rate variation and randomization of the attack vector. SHIDS responds robustly to the attempts by an attacker to produce ambiguous signatures. Furthermore, SHIDS adaptively adjusts the vigilance level based on the state of host and network health using various state-of-the-art statistical techniques such as fuzzy-matching, classification and clustering. Finally, SHIDS uses hybrid finite state automata to efficiently perform malware fingerprint matching.
Keywords: Self Healing, Intrusion Detection Systems (Ids), Automatic Signature Generation, Cyber Security, Cyber Protection