Host-Based Security Sensor Integrity in Multiprocessing Environments

Richard Mcevoy, Stephen D. Wolthusen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for host-based sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers.
This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.
Original languageEnglish
Title of host publicationInformation Security, Practice and Experience
Subtitle of host publication6th International Conference, ISPEC 2010
PublisherSpringer-Verlag
Pages138-152
ISBN (Print)978-3-642-12827-1
DOIs
Publication statusPublished - May 2010

Cite this