Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency. / Seeger, Mark; Wolthusen, Stephen D.

Proceedings, 2010 Fifth International Conference on Systems (ICONS 2010). IEEE Computer Society Press, 2010. p. 158-163.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Published

Standard

Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency. / Seeger, Mark; Wolthusen, Stephen D.

Proceedings, 2010 Fifth International Conference on Systems (ICONS 2010). IEEE Computer Society Press, 2010. p. 158-163.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Seeger, M & Wolthusen, SD 2010, Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency. in Proceedings, 2010 Fifth International Conference on Systems (ICONS 2010). IEEE Computer Society Press, pp. 158-163. https://doi.org/10.1109/ICONS.2010.34

APA

Seeger, M., & Wolthusen, S. D. (2010). Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency. In Proceedings, 2010 Fifth International Conference on Systems (ICONS 2010) (pp. 158-163). IEEE Computer Society Press. https://doi.org/10.1109/ICONS.2010.34

Vancouver

Seeger M, Wolthusen SD. Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency. In Proceedings, 2010 Fifth International Conference on Systems (ICONS 2010). IEEE Computer Society Press. 2010. p. 158-163 https://doi.org/10.1109/ICONS.2010.34

Author

Seeger, Mark ; Wolthusen, Stephen D. / Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency. Proceedings, 2010 Fifth International Conference on Systems (ICONS 2010). IEEE Computer Society Press, 2010. pp. 158-163

BibTeX

@inproceedings{5fb26fb421144d8080425915da44eecd,
title = "Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency",
abstract = "Whilst the precise objectives and mechanisms used by malicious code will vary widely and may involve wholly unknown techniques to achieve their respective objectives, certain second-order operations such as privilege escalation or concealment of the code's presence or activity are predictable. In particular, concealment mechanisms must modify well-known data structures, which could be detected trivially otherwise. We argue that any such mechanism is necessarily non-atomic and can hence be detected through concurrent observations forcing an interleaved linearization of the malicious code with observations of memory state changes induced in tightly coupled concurrent processing units. Extending previous research for the case of symmetric concurrent observation, we propose a computational model and observation mechanism for the case of tightly coupled asymmetric concurrent processing units as may be found in most current computing environments with particular emphasis on metrics for the cost of forced synchronization and resource contention caused by observations. We argue that the resulting observations will provide a novel sensor datum for intrusion detection but may also be used as a standalone probabilistic detection mechanism particularly suited to detect attacks in progress.",
author = "Mark Seeger and Wolthusen, {Stephen D.}",
year = "2010",
month = may,
doi = "10.1109/ICONS.2010.34",
language = "English",
isbn = "978-1-4244-6231-5",
pages = "158--163",
booktitle = "Proceedings, 2010 Fifth International Conference on Systems (ICONS 2010)",
publisher = "IEEE Computer Society Press",

}

RIS

TY - GEN

T1 - Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency

AU - Seeger, Mark

AU - Wolthusen, Stephen D.

PY - 2010/5

Y1 - 2010/5

N2 - Whilst the precise objectives and mechanisms used by malicious code will vary widely and may involve wholly unknown techniques to achieve their respective objectives, certain second-order operations such as privilege escalation or concealment of the code's presence or activity are predictable. In particular, concealment mechanisms must modify well-known data structures, which could be detected trivially otherwise. We argue that any such mechanism is necessarily non-atomic and can hence be detected through concurrent observations forcing an interleaved linearization of the malicious code with observations of memory state changes induced in tightly coupled concurrent processing units. Extending previous research for the case of symmetric concurrent observation, we propose a computational model and observation mechanism for the case of tightly coupled asymmetric concurrent processing units as may be found in most current computing environments with particular emphasis on metrics for the cost of forced synchronization and resource contention caused by observations. We argue that the resulting observations will provide a novel sensor datum for intrusion detection but may also be used as a standalone probabilistic detection mechanism particularly suited to detect attacks in progress.

AB - Whilst the precise objectives and mechanisms used by malicious code will vary widely and may involve wholly unknown techniques to achieve their respective objectives, certain second-order operations such as privilege escalation or concealment of the code's presence or activity are predictable. In particular, concealment mechanisms must modify well-known data structures, which could be detected trivially otherwise. We argue that any such mechanism is necessarily non-atomic and can hence be detected through concurrent observations forcing an interleaved linearization of the malicious code with observations of memory state changes induced in tightly coupled concurrent processing units. Extending previous research for the case of symmetric concurrent observation, we propose a computational model and observation mechanism for the case of tightly coupled asymmetric concurrent processing units as may be found in most current computing environments with particular emphasis on metrics for the cost of forced synchronization and resource contention caused by observations. We argue that the resulting observations will provide a novel sensor datum for intrusion detection but may also be used as a standalone probabilistic detection mechanism particularly suited to detect attacks in progress.

U2 - 10.1109/ICONS.2010.34

DO - 10.1109/ICONS.2010.34

M3 - Conference contribution

SN - 978-1-4244-6231-5

SP - 158

EP - 163

BT - Proceedings, 2010 Fifth International Conference on Systems (ICONS 2010)

PB - IEEE Computer Society Press

ER -