Synchronous Signal Delivery in a Multi-Variant Intrusion Detection System

The number and complexity of software attacks is increasing. This growth necessitates proper defense mechanisms. Intrusion detection systems have an im- portant role in detecting and disrupting attacks before they can compromise software. Multi-variant execution is a technique that runs multiple variants or versions of a program and looks for divergences in their execution behavior. A divergence in behavior is an indication of an attack. Unfortunately, it could also be a false positive. Asynchronous signals are one the main sources of false positives. We present a novel solution which removes false positives generated by signals. Our system runs variants of a program in parallel. These variants are run under the supervision of a moni- tor. When a signal is sent to one of the variants, the mon- itor intercepts it and synchronizes its delivery to all the variants. Our experimental results show negligible per- formance degradation in real applications. By creating a realistic solution and removing an important source of false positives, we have increased the accuracy of multi- variant intrusion detection systems.