Elements of distributed computing
Elements of distributed computing
Enhancing software reliability with speculative threads
Proceedings of the 10th international conference on Architectural support for programming languages and operating systems
Using Independent Auditors as Intrusion Detection Systems
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
Taking a Lesson from Stealthy Rootkits
IEEE Security and Privacy
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
Detecting Stealth Software with Strider GhostBuster
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
SubVirt: Implementing malware with virtual machines
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Secure coprocessor-based intrusion detection
EW 10 Proceedings of the 10th workshop on ACM SIGOPS European workshop
CuPIDS: An exploration of highly focused, co-processor-based information system protection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Lurking in the Shadows: Identifying Systemic Threats to Kernel Data
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Secure coprocessors in electronic commerce applications
WOEC'95 Proceedings of the 1st conference on USENIX Workshop on Electronic Commerce - Volume 1
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Linux kernel integrity measurement using contextual inspection
Proceedings of the 2007 ACM workshop on Scalable trusted computing
Automated detection of persistent kernel control-flow attacks
Proceedings of the 14th ACM conference on Computer and communications security
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction
Proceedings of the 14th ACM conference on Computer and communications security
Parallelizing security checks on commodity hardware
Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
On the Limits of Information Flow Techniques for Malware Analysis and Containment
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
Improving coherency of runtime integrity measurement
Proceedings of the 3rd ACM workshop on Scalable trusted computing
Efficiently tracking application interactions using lightweight virtualization
Proceedings of the 1st ACM workshop on Virtual machine security
Multi-aspect profiling of kernel rootkit behavior
Proceedings of the 4th ACM European conference on Computer systems
A forced sampled execution approach to kernel rootkit identification
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
| Hi-index | 0.00 |
Attack and intrusion detection on host systems is both a last line of defence and provides substantially more detail than other sensor types. However, any host-based sensor is likely to be a primary target for adversaries to ensure concealment and evasion of defensive measures. In this paper we therefore propose a novel defence mechanism for host-based sensors utilising true concurrent observation of state at key locations of operating systems and security controls, including a self-defence mechanism. This is facilitated by the ready availability of multi-core and multi-processor systems in symmetric and non-uniform architectures for general-purpose computers. This obviates the need for specialised hardware components or overhead imposed by virtualisation approaches and has the added advantage of becoming increasingly difficult to foil as the number of concurrent observation threads increases whilst being highly scalable itself. We describe a formal model of this observation and self-observation mechanism. The analysis of the observations is supported by a causal model, which we describe briefly. Using causal models enables us to detect complex attacks using dynamic obfuscation as it relies on higher-order semantics and also allows the system to deal with non-linearity in memory writes which is characteristic of multiprocessing systems. We conclude with a brief description of experimental validation, demonstrating both high, adaptable performance and the ability to detect attacks on the mechanism itself.