The cost of observation for intrusion detection : Performance impact of concurrent host observation. / Seeger, Mark; Busch, Christoph; Baier, Harald; Wolthusen, Stephen D.

Information Security for South Africa 2012 (ISSA). 2010.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Published

Standard

The cost of observation for intrusion detection : Performance impact of concurrent host observation. / Seeger, Mark; Busch, Christoph; Baier, Harald; Wolthusen, Stephen D.

Information Security for South Africa 2012 (ISSA). 2010.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

APA

Vancouver

Author

Seeger, Mark ; Busch, Christoph ; Baier, Harald ; Wolthusen, Stephen D. / The cost of observation for intrusion detection : Performance impact of concurrent host observation. Information Security for South Africa 2012 (ISSA). 2010.

BibTeX

@inproceedings{767948be14e8471a97cada758f2ac200,
title = "The cost of observation for intrusion detection: Performance impact of concurrent host observation",
abstract = "Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.",
author = "Mark Seeger and Christoph Busch and Harald Baier and Wolthusen, {Stephen D.}",
year = "2010",
month = aug,
doi = "10.1109/ISSA.2010.5588311",
language = "English",
isbn = "978-1-4244-5493-8",
booktitle = "Information Security for South Africa 2012 (ISSA)",

}

RIS

TY - GEN

T1 - The cost of observation for intrusion detection

T2 - Performance impact of concurrent host observation

AU - Seeger, Mark

AU - Busch, Christoph

AU - Baier, Harald

AU - Wolthusen, Stephen D.

PY - 2010/8

Y1 - 2010/8

N2 - Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.

AB - Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.

U2 - 10.1109/ISSA.2010.5588311

DO - 10.1109/ISSA.2010.5588311

M3 - Conference contribution

SN - 978-1-4244-5493-8

BT - Information Security for South Africa 2012 (ISSA)

ER -