Constraints on autonomous use of standard GPU components for asynchronous observations and intrusion detection

The high computational power of graphics processing units (GPU) is used for several purposes nowadays. Factoring integers, computing discrete logarithms, and pattern matching in network intrusion detection systems (IDS) are popular tasks in the field of information security where GPUs are used for acceleration. GPUs are commodity components and are widely available in computer systems which would make them an ideal platform for a wide-spread IDS. We investigate the feasibility to use current GPUs for asynchronous host intrusion detection as proposed in a former work and come to the conclusion that several constraints of GPUs limit the use for concurrent and asynchronous off-CPU processing in host IDSs. GPUs have restrictions in terms of continuity, asynchronism, and unrestricted access to perform this task. We propose an observation mechanism and discuss current constraints on autonomous use of standard GPU components for intrusion detection. Finally, we come to the conclusion that several modifications to graphics cards are necessary to enable our approach.

[1]  Stephen D. Wolthusen,et al.  Host-Based Security Sensor Integrity in Multiprocessing Environments , 2010, ISPEC.

[2]  Michael M. Swift,et al.  Protecting Commodity Operating System Kernels from Vulnerable Device Drivers , 2009, 2009 Annual Computer Security Applications Conference.

[3]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[4]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[5]  William A. Arbaugh,et al.  Using Independent Auditors as Intrusion Detection Systems , 2002, ICICS.

[6]  W. Daniel Hillis,et al.  Data parallel algorithms , 1986, CACM.

[7]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[8]  David M. Nicol,et al.  TrustGraph: Trusted Graphics Subsystem for High Assurance Systems , 2009, 2009 Annual Computer Security Applications Conference.

[9]  Steven S. Lumetta,et al.  CUBA: an architecture for efficient CPU/co-processor data communication , 2008, ICS '08.

[10]  Andrew S. Tanenbaum,et al.  Modern Operating Systems , 1992 .

[11]  R. Sekar,et al.  On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[12]  Trent Jaeger,et al.  Secure coprocessor-based intrusion detection , 2002, EW 10.

[13]  André Brinkmann,et al.  A microdriver architecture for error correcting codes inside the Linux kernel , 2009, Proceedings of the Conference on High Performance Computing Networking, Storage and Analysis.

[14]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[15]  Bhagirath Narahari,et al.  Hardware-enforced fine-grained isolation of untrusted code , 2009, SecuCode '09.

[16]  Pat Hanrahan,et al.  Data Parallel Computation on Graphics Hardware , 2003 .

[17]  Stephen D. Wolthusen,et al.  Using Observations of Invariant Behaviour to Detect Malicious Agency in Distributed Environments , 2008, IMF.

[18]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[19]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[20]  Stephen D. Wolthusen,et al.  Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency , 2010, 2010 Fifth International Conference on Systems.