Cupids: increasing information system security through the use of dedicated co-processing

Most past and present intrusion detection systems architectures assume a uniprocessor environment or do not explicitly make use of multiple processors when they exist. Yet, especially in the server world, multiple processor machines are commonplace; and with the advent of technologies such as Intel and ANID's multi-core or Hyperthreading technologies, commodity computers are likely to have multiple processors. This research explores how explicitly dividing the system into production and security components and running the components in parallel on different processors can improve the effectiveness of the security system. The production component contains all user tasks and most of the operating system while the security component contains security monitoring and validating tasks and the parts of the O/S that pertain to security. We demonstrate that under some circumstances this architecture allows intrusion detection systems to use monitoring models with higher fidelity, particularly with regard to the timeliness of detection, and will also increase system robustness in the face of some types of attacks. Empirical results with a prototype co-processing intrusion detection system (Cu-PIDS) architecture support the feasibility of this approach. The construction of the prototype allowed us to demonstrate the implementation costs of the architecture are reasonable. Experimentation using fine-grained protection of real-world applications resulted in about a fifteen percent slowdown white demonstrating CuPIDS' ability to quickly detect and respond to illegitimate behavior.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Intel Corportation,et al.  IA-32 Intel Architecture Software Developers Manual , 2004 .

[3]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[4]  Benjamin A. Kuperman,et al.  A categorization of computer security monitoring systems and the impact on the design of audit sources , 2004 .

[5]  Wenliang Du,et al.  Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths , 2004, RAID.

[6]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[7]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[8]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[9]  Eugene H. Spafford,et al.  Poly/sup 2/ paradigm: a secure network service architecture , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[10]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[11]  Gregg H. Gunsch,et al.  An artificial immune system architecture for computer security applications , 2002, IEEE Trans. Evol. Comput..

[12]  Jan Vitek,et al.  Efficient intrusion detection using automaton inlining , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[13]  Benjamin A. Kuperman Categorizing CSM systems to derive audit source specifications , 2003 .

[14]  C. Stoll The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage , 1990 .

[15]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[16]  Bennet S. Yee,et al.  Dyad : a system for using physically secure coprocessors , 1991 .

[17]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[18]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[19]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[20]  Ruby B. Lee,et al.  Enlisting Hardware Architecture to Thwart Malicious Code Injection , 2004, SPC.

[21]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[22]  Trent Jaeger,et al.  Secure coprocessor-based intrusion detection , 2002, EW 10.

[23]  Chris Vance,et al.  The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0 , 2003, USENIX Annual Technical Conference, FREENIX Track.

[24]  Roff Smith Nebraska: standing tall again , 1998 .

[25]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[26]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[27]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[28]  Samuel J. Leffler,et al.  The design and implementation of the 4.3 BSD Unix operating system , 1991, Addison-Wesley series in computer science.

[29]  Diego Zamboni,et al.  Doing intrusion detection using embedded sensors| Thesis proposal , 2000 .

[30]  Keith Bostic,et al.  The design and implementa-tion of the 4.4BSD operating system , 1996 .

[31]  James P. Early,et al.  Poly2 Paradigm: A Secure Network Service Architecture∗ , 2003 .

[32]  Greg Lehey Improving the FreeBSD SMP Implementation , 2001, USENIX Annual Technical Conference, FREENIX Track.

[33]  Kevin P. Anchor,et al.  CDIS: Towards a Computer Immune System for Detecting Network Intrusions , 2001, Recent Advances in Intrusion Detection.

[34]  Of references. , 1966, JAMA.

[35]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[36]  Steven G. Johnson,et al.  The Design and Implementation of FFTW3 , 2005, Proceedings of the IEEE.

[37]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[38]  Jeffrey M. Hsu,et al.  The DragonFlyBSD Operating System , 2004 .

[39]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[40]  Harish Patil,et al.  Low‐cost, Concurrent Checking of Pointer and Array Accesses in C Programs , 1997, Softw. Pract. Exp..

[41]  William A. Arbaugh,et al.  Using Independent Auditors as Intrusion Detection Systems , 2002, ICICS.

[42]  Jeannette M. Wing,et al.  Measuring a System's Attack Surface , 2004 .

[43]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[44]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[45]  Timothy W. Curry,et al.  Profiling and Tracing Dynamic Library Usage Via Interposition , 1994, USENIX Summer.

[46]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[47]  Richard J. Lipton,et al.  Spy: a method to secure clients for network services , 2002, Proceedings 22nd International Conference on Distributed Computing Systems Workshops.

[48]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[49]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[50]  Eugene H. Spafford,et al.  Defending a Computer System Using Autonomous Agents , 1995 .

[51]  Eugene H. Spafford,et al.  Using internal sensors for computer intrusion detection , 2001 .

[52]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[53]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[54]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[55]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[56]  Tim Bass,et al.  Intrusion detection systems and multisensor data fusion , 2000, CACM.

[57]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[58]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[59]  R. Power CSI/FBI computer crime and security survey , 2001 .

[60]  Vladimir Gorodetski Agent-Based Model of Information Security System: Architecture and Formal Framework for Coordinated Intelligent Agents Behavior Specification , 2001 .