Enhancing host security using external environment sensors

We propose a framework that uses (external) environment information to enhance computer security. The benefit of our framework is that the environment information is collected by sensors that are outside the control of a host and communicate to an external monitor via an out-of-band channel (w.r.t. the host), thus it cannot be compromised by malware on a host system. The information gathered still remains intact even if malware uses rootkit techniques to hide its activities. Our framework can be applied for a number of security applications: (1) intrusion detection; (2) rate monitoring/control of external resources; and (3) access control. We show that that the framework is useful even with coarse-grained and simple information. We present some experimental prototypes that employ the framework to detect/control email spam, detect/control DDoS zombie attacks and detect misuse of compute resources. Experimental evaluation shows that the framework is effecting in detecting or limiting the activities of such malware. The growing popularity of multimodal sensors and physical security information management systems suggests that such environmental sensors will become common making our framework cost effective and feasible in the near future.

[1]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[2]  Randy H. Katz,et al.  Design and implementation of an extrusion-based break-in detector for personal computers , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[3]  N. Balakrishnan,et al.  Improvement in Intrusion Detection With Advances in Sensor Fusion , 2009, IEEE Transactions on Information Forensics and Security.

[4]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[5]  Roland H. C. Yap,et al.  An Usability Study of Continuous Biometrics Authentication , 2009, ICB.

[6]  E. S. Page CONTINUOUS INSPECTION SCHEMES , 1954 .

[7]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[8]  Gerald V. Post,et al.  The use and effectiveness of anti-virus software , 1998, Comput. Secur..

[9]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[10]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[11]  Ernesto Damiani,et al.  Supporting location-based conditions in access control policies , 2006, ASIACCS '06.

[12]  Sandeep Kumar,et al.  Using continuous biometric verification to protect interactive login sessions , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[13]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[14]  Roland H. C. Yap,et al.  A Lightweight Binary Authentication System for Windows , 2008, IFIPTM.

[15]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[16]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[17]  R. Ramnath,et al.  Physical Access Protection using Continuous Authentication , 2008, 2008 IEEE Conference on Technologies for Homeland Security.

[18]  Craig A. Schiller,et al.  InfoSecurity 2008 Threat Analysis , 2007 .

[19]  Rayford B. Vaughn,et al.  Intrusion sensor data fusion in an intelligent intrusion detection system architecture , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.