Host-Based Security Sensor Integrity in Multiprocessing Environments. / Mcevoy, Richard; Wolthusen, Stephen D.

Information Security, Practice and Experience: 6th International Conference, ISPEC 2010. Springer-Verlag, 2010. p. 138-152.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Published

Standard

Host-Based Security Sensor Integrity in Multiprocessing Environments. / Mcevoy, Richard; Wolthusen, Stephen D.

Information Security, Practice and Experience: 6th International Conference, ISPEC 2010. Springer-Verlag, 2010. p. 138-152.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Mcevoy, R & Wolthusen, SD 2010, Host-Based Security Sensor Integrity in Multiprocessing Environments. in Information Security, Practice and Experience: 6th International Conference, ISPEC 2010. Springer-Verlag, pp. 138-152. https://doi.org/10.1007/978-3-642-12827-1_11

APA

Mcevoy, R., & Wolthusen, S. D. (2010). Host-Based Security Sensor Integrity in Multiprocessing Environments. In Information Security, Practice and Experience: 6th International Conference, ISPEC 2010 (pp. 138-152). Springer-Verlag. https://doi.org/10.1007/978-3-642-12827-1_11

Vancouver

Mcevoy R, Wolthusen SD. Host-Based Security Sensor Integrity in Multiprocessing Environments. In Information Security, Practice and Experience: 6th International Conference, ISPEC 2010. Springer-Verlag. 2010. p. 138-152 https://doi.org/10.1007/978-3-642-12827-1_11

Author

Mcevoy, Richard ; Wolthusen, Stephen D. / Host-Based Security Sensor Integrity in Multiprocessing Environments. Information Security, Practice and Experience: 6th International Conference, ISPEC 2010. Springer-Verlag, 2010. pp. 138-152

BibTeX

@inproceedings{df5ea4d5ab714050bec123cbde7773bc,
title = "Host-Based Security Sensor Integrity in Multiprocessing Environments",
abstract = "Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for host-based sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers.This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.",
author = "Richard Mcevoy and Wolthusen, {Stephen D.}",
year = "2010",
month = "5",
doi = "10.1007/978-3-642-12827-1_11",
language = "English",
isbn = "978-3-642-12827-1",
pages = "138--152",
booktitle = "Information Security, Practice and Experience",
publisher = "Springer-Verlag",

}

RIS

TY - GEN

T1 - Host-Based Security Sensor Integrity in Multiprocessing Environments

AU - Mcevoy, Richard

AU - Wolthusen, Stephen D.

PY - 2010/5

Y1 - 2010/5

N2 - Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for host-based sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers.This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.

AB - Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for host-based sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers.This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.

U2 - 10.1007/978-3-642-12827-1_11

DO - 10.1007/978-3-642-12827-1_11

M3 - Conference contribution

SN - 978-3-642-12827-1

SP - 138

EP - 152

BT - Information Security, Practice and Experience

PB - Springer-Verlag

ER -