Monitoring for security intrusion using performance signatures

Authors:
Alberto Avritzer;Rajanikanth Tanikella;Kiran James;Robert G. Cole;Elaine Weyuker
Affiliations:
Siemens Corporate Research, Princeton, NJ, USA;Siemens Corporate Research, Princeton, NJ, USA;Siemens Corporate Research, Princeton, NJ, USA;JHU/Applied Physics Laboratory, Laurel, MD, USA;AT&T Labs - Research, Florham Park, NJ, USA
Venue:
Proceedings of the first joint WOSP/SIPEW international conference on Performance engineering
Year:
2010

Citing 9
Cited 1

A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
Monitoring Smoothly Degrading Systems for Increased Dependability

Empirical Software Engineering
The Automatic Generation of Load Test Suites and the Assessment of the Resulting Software

IEEE Transactions on Software Engineering
Detecting failed processes using fault signatures

IPDS '96 Proceedings of the 2nd International Computer Performance and Dependability Symposium (IPDS '96)
Software Rejuvenation: Analysis, Module and Applications

FTCS '95 Proceedings of the Twenty-Fifth International Symposium on Fault-Tolerant Computing
Estimating the CPU utilization of a rule-based system

WOSP '04 Proceedings of the 4th international workshop on Software and performance
Ensuring stable performance for systems that degrade

Proceedings of the 5th international workshop on Software and performance
Using performance signatures and software rejuvenation for worm mitigation in tactical MANETs

WOSP '07 Proceedings of the 6th international workshop on Software and performance
Intrusion detection using sequences of system calls

Journal of Computer Security

Security breaches as PMU deviation: detecting and identifying security attacks using performance counters

Proceedings of the Second Asia-Pacific Workshop on Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

A new approach for detecting security attacks on software systems by monitoring the software system performance signatures is introduced. We present a proposed architecture for security intrusion detection using off-the-shelf security monitoring tools and performance signatures. Our approach relies on the assumption that the performance signature of the well-behaved system can be measured and that the performance signature of several types of attacks can be identified. This assumption has been validated for operations support systems that are used to monitor large infrastructures and receive aggregated traffic that is periodic in nature. Examples of such infrastructures include telecommunications systems, transportation systems and power generation systems. In addition, significant deviation from well-behaved system performance signatures can be used to trigger alerts about new types of security attacks. We used a custom performance benchmark and five types of security attacks to derive performance signatures for the normal mode of operation and the security attack mode of operation. We observed that one of the types of the security attacks went undetected by the off-the-shelf security monitoring tools but was detected by our approach of monitoring performance signatures. We conclude that an architecture for security intrusion detection can be effectively complemented by monitoring of performance signatures.