Clustering System Call Arguments for Remote Attestation

In trusted computing, remote attestation is an essential feature to determine the trustworthiness of a remote platform by analyzing its integrity. In this paper, we present a new paradigm that leverages clustering system call arguments for integrity measurement and reporting in remote attestation. The major contribution of this paper is two-folds: (1) We introduce a clustering process to characterize system call arguments. (2) We introduce model verification for efficient trust reporting. Our proposed technique is evaluated on a real world dataset extracted from a Linux System. The results show that different clustering algorithms can achieve different average accuracy while introduce low overheads.

[1]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[2]  Robert H. Deng,et al.  Remote attestation on program execution , 2008, STC '08.

[3]  Stefano Zanero,et al.  Detecting Intrusions through System Call Sequence and Argument Analysis , 2010, IEEE Transactions on Dependable and Secure Computing.

[4]  Giovanni Vigna,et al.  Exploiting Execution Context for the Detection of Anomalous System Calls , 2007, RAID.

[5]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[6]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[7]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[8]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[9]  Jean-Pierre Seifert,et al.  Remote Attestation with Domain-Based Integrity Model and Policy Analysis , 2012, IEEE Transactions on Dependable and Secure Computing.

[10]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[11]  Ahmad-Reza Sadeghi,et al.  A protocol for property-based attestation , 2006, STC '06.

[12]  Robert H. Deng,et al.  Remote Attestation on Function Execution (Work-in-Progress) , 2009, INTRUST.

[13]  Xinwen Zhang,et al.  On Leveraging Stochastic Models for Remote Attestation , 2010, INTRUST.

[14]  Muddassar Farooq,et al.  Towards a Theory of Generalizing System Call Representation for In-Execution Malware Detection , 2010, 2010 IEEE International Conference on Communications.