CuPIDS: An exploration of highly focused, co-processor-based information system protection

The Co-Processing Intrusion Detection System (CuPIDS) project explores improving information system security through dedicating computational resources to system security tasks in a shared resource, multi-processor (MP) architecture. Our research explores ways in which this architecture offers improvements over the traditional uni-processor (UP) model of security. One approach we examined has a protected application running on one processor in a symmetric multi-processing (SMP) system while a shadow process specific to that application runs on a different processor. The shadow process monitors the application process' activity, ready to respond immediately if the application violates policy. Experiments with a prototype CuPIDS system demonstrate the feasibility of this approach in the context of a self-protecting and self-healing system. An untuned prototype supporting fine-grained protection of the real-world application WU-FTP resulted in less than a 15% slowdown while demonstrating CuPIDS' ability to quickly detect illegitimate behavior, raise an alarm, automatically repair the damage done by the fault or attack, allow the application to resume execution, and export a signature for the activity leading up to the error.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Wenliang Du,et al.  Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths , 2004, RAID.

[3]  Harish Patil,et al.  Low‐cost, Concurrent Checking of Pointer and Array Accesses in C Programs , 1997, Softw. Pract. Exp..

[4]  Benjamin A. Kuperman,et al.  A categorization of computer security monitoring systems and the impact on the design of audit sources , 2004 .

[5]  P.D. Williams,et al.  CuPIDS enhances StUPIDS: exploring a co-processing paradigm shift in information system security , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[6]  C. Zheng,et al.  ; 0 ; , 1951 .

[7]  Eugene H. Spafford,et al.  IDIOT - Users Guide , 1996 .

[8]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[9]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[10]  O. Sami Saydjari LOCK : An Historical Perspective , 2002, ACSAC.

[12]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[13]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[14]  Richard J. Lipton,et al.  Spy: a method to secure clients for network services , 2002, Proceedings 22nd International Conference on Distributed Computing Systems Workshops.

[15]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[16]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[17]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[18]  William A. Arbaugh,et al.  Using Independent Auditors as Intrusion Detection Systems , 2002, ICICS.

[19]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.

[20]  Jan Vitek,et al.  Efficient intrusion detection using automaton inlining , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[21]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[22]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[23]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[24]  Somesh Jha,et al.  Formalizing sensitivity in static analysis for intrusion detection , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[25]  Trevor N. Mudge,et al.  An Intrusion-Tolerant and Self-Recoverable Network Service System Using A Security Enhanced Chip Multiprocessor , 2005, Second International Conference on Autonomic Computing (ICAC'05).

[26]  原田 秀逸 私の computer 環境 , 1998 .

[27]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[28]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[29]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[30]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[31]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[32]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[33]  N. S. Hoang,et al.  A Low-Cost , 1997 .

[34]  Bennet S. Yee,et al.  Dyad : a system for using physically secure coprocessors , 1991 .

[35]  Trent Jaeger,et al.  Secure coprocessor-based intrusion detection , 2002, EW 10.

[36]  Jeannette M. Wing,et al.  Measuring a System's Attack Surface , 2004 .

[37]  Eugene H. Spafford,et al.  Cupids: increasing information system security through the use of dedicated co-processing , 2005 .