More Web Proxy on the site http://driver.im/

Article

Anomalous path detection with hardware support

Authors:

Xiaotong Zhuang,

Wenke LeeAuthors Info & Claims

CASES '05: Proceedings of the 2005 international conference on Compilers, architectures and synthesis for embedded systems

Pages 43 - 54

https://doi.org/10.1145/1086297.1086305

Published: 24 September 2005 Publication History

Abstract

Embedded systems are being deployed as a part of critical infrastructures and are vulnerable to malicious attacks due to internet accessibility. Intrusion detection systems have been proposed to protect computer systems from unauthorized penetration. Detecting an attack early on pays off since further damage is avoided and in some cases, resilient recovery could be adopted. This is especially important for embedded systems deployed in critical infrastructures such as Power Grids etc. where a timely intervention could save catastrophes. An intrusion detection system monitors dynamic program behavior against normal program behavior and raises an alert when an anomaly is detected. The normal behavior is learnt by the system through training and profiling.However, all current intrusion detection systems are purely software based and thus suffer from large performance degradation due to constant monitoring operations inserted in application code. Due to the potential performance overheads, software based solutions cannot monitor program behavior at a very fine level of granularity, thus leaving potential security holes as shown in the literature. Another important drawback of such methods is that they are unable to detect intrusions in near real time and the time lag could prove disastrous in real time embedded systems. In this paper, we propose a hardware-based approach to verify program execution paths of target applications dynamically and to detect anomalous executions. With hardware support, our approach offers multiple advantages over software based solutions including minor performance degradation, much stronger detection capability (a larger variety of attacks get detected) and zero-latency reaction upon an anomaly for near real time detection and thus much better security.

References

[1]

Allen Householder, Kevin Houle, and Chad Dougherty, "Computer Attack Trends Challenge Internet Security", IEEE security and Privacy, Apr. 2002.]]

[2]

S. Forrest, S. A. Hofmeyr, A. Somayaji, T. A. Longstaff, "A Sense of Self for Unix Processes," In Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996.]]

Digital Library

[3]

D. Wagner, D. Dean, "Intrusion Detection via Static Analysis," In Proceedings of the 2001 IEEE Symposium on Security and Privacy, 2001.]]

Digital Library

[4]

R. Sekar, M. Bendre, D. Dhurjati, P. Bollineni, "A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors," In Proceedings of the 2001 IEEE Symposium on Security and Privacy, 2001.]]

Digital Library

[5]

Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong, "Anomaly Detection Using Call Stack Information," IEEE Symposium on Security and Privacy, May, 2003.]]

Digital Library

[6]

Henry H. Feng, Jonathon T. Giffin, Yong Huang, Somesh Jha, Wenke Lee, Barton P. Miller, "Formalizing Sensitivity in Static Analysis for Intrusion Detection," In Proceedings of the 2004 IEEE Symposium on Security and Privacy, 2004.]]

[7]

A.Kosoresow, S.Hofmeyr, "Intrusion Detection via System Call Traces," IEEE Software, vol. 14, pp. 24--42, 1997.]]

Digital Library

[8]

C. Michael, A. Ghosh, "Using Finite Automate to Mine Execution Data for Intrusion Detection: A preliminary Report", RAID 2000.]]

Digital Library

[9]

Debin Gao, Michael K. Reiter, Dawn Song, "On Gray-Box Program Tracking for Anomaly Detection", 13th USENIX Security Symposium, pages 103--118, August 2004.]]

Digital Library

[10]

Debin Gao, Michael K. Reiter and Dawn Song, "Gray-Box Extraction of Execution Graphs for Anomaly Detection", the 11th ACM CCS conf., pages 318--329, October 2004.]]

Digital Library

[11]

C. Krügel, D. Mutz, F. Valeur, G. Vigna, "On the Detection of Anomalous System Call Arguments", In Proceedings of ESORICS 2003, pages 326--343, Norway, 2003.]]

[12]

Tao Zhang, Xiaotong Zhuang, Santosh Pande, Wenke Lee, "Hardware Supported Anomaly Detection: down to the Control Flow Level," Technical Report GIT-CERCS-04-11.]]

[13]

James R. Larus, "Whole Program Paths," PLDI 1999.]]

Digital Library

[14]

Y. Zhang and R. Gupta, "Timestamped Whole Program Path Representation and its Applications," PLDI 2001.]]

Digital Library

[15]

D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, M. Horowitz, "Architectural Support for Copy and Tamper Resistant Software," ASPLOSIX, Nov. 2000.]]

Digital Library

[16]

Doug Burger and Todd M. Austin. "The SimpleScalar Tool Set Version 2.0".]]

[17]

Vlaovic, E and S. Davidson, "TAXI: Trace Analysis for X86 Interpretation", In Proc. Of 2002 IEEE International Conference on Computer Design.]]

Digital Library

[18]

D. Grunwald, D. Lindsay, and B. Zorn. "Static methods in hybrid branch prediction". PACT 1998. Pages: 222--229.]]

Digital Library

[19]

R. Jasper, M. Brennan, K. Williamson, B. Currier, D. Zimmerman, "Test Data Generation and Feasible Path Analysis", ISSTA 1994, pp. 95--107.]]

Digital Library

[20]

J. Wilander and M. Kamkar. "A comparison of publicly available tools for dynamic buffer overflow prevention". In 10th NDSSS, 2003.]]

[21]

Scut. "Exploiting format string vulnerabilities". TESO Security Group.]]

[22]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle, "Point-Guard: Protecting Pointers From Buffer Overflow Vulnerabilities," Proceedings of 12th USENIX Security Symposium, Washington DC, Aug., 2003.]]

Digital Library

[23]

C. Cowan, C. Pu, D. Maier, J.Walpole,P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," 7th USENIX Security Conf., pages 63--78.]]

Digital Library

[24]

G.E. Suh, W. Lee, and S. Devadas, "Secure Program Execution via Dynamic Information Flow Tracking", ASPLOS 2004.]]

Digital Library

[25]

A.K. Ghosh, T. O'Connor, G. McGraw, "An automated approach for identifying potential vulnerabilities in software", 1998 IEEE Symposium on Security and Privacy, pp. 104--114.]]

[26]

Bochs: the Open Source IA-32 Emulation Project, http://bochs.sourceforge.net.]]

Cited By

Botacin MAlves MOliveira DGrégio A(2022)HEAVENExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.117083201:COnline publication date: 1-Sep-2022
https://dl.acm.org/doi/10.1016/j.eswa.2022.117083
Papamartzivanos DMenesidou SGouvas PGiannetsos T(2021)Towards Efficient Control-Flow Attestation with Software-Assisted Multi-level Execution Tracing2021 IEEE International Mediterranean Conference on Communications and Networking (MeditCom)10.1109/MeditCom49071.2021.9647635(512-518)Online publication date: 7-Sep-2021
https://doi.org/10.1109/MeditCom49071.2021.9647635
Carreon NGilbreath ALysecky R(2020)Statistical Time-based Intrusion Detection in Embedded Systems2020 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE48585.2020.9116369(562-567)Online publication date: Mar-2020
https://doi.org/10.23919/DATE48585.2020.9116369
Show More Cited By

Index Terms

Anomalous path detection with hardware support

Recommendations

Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes

This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and ...
Anomalous system call detection

Intrusion detection systems (IDSs) are used to detect traces of malicious activities targeted against the network and its resources. Anomaly-based IDSs build models of the expected behavior of applications by analyzing events that are generated during ...
Multi-stage change-point detection scheme for large-scale simultaneous events

Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CASES '05: Proceedings of the 2005 international conference on Compilers, architectures and synthesis for embedded systems

September 2005

326 pages

ISBN:159593149X

DOI:10.1145/1086297

General Chairs:
Thomas M. Conte
North Carolina State University
,
Paolo Faraboschi
Hewlett-Packard Laboratories
,
Program Chairs:
Bill Mangione-Smith
Quantum Intellectual Property Services
,
Walid Najjar
University of California, Riverside

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 September 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CASES05

Sponsor:

CASES05: 2005 International Conference on Compilers, Architectures and Synthesis for Embedded Systems

September 24 - 27, 2005

California, San Francisco, USA

Acceptance Rates

Overall Acceptance Rate 52 of 230 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

70
Total Citations
View Citations
596
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)1

Reflects downloads up to 10 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Botacin MAlves MOliveira DGrégio A(2022)HEAVENExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.117083201:COnline publication date: 1-Sep-2022
https://dl.acm.org/doi/10.1016/j.eswa.2022.117083
Papamartzivanos DMenesidou SGouvas PGiannetsos T(2021)Towards Efficient Control-Flow Attestation with Software-Assisted Multi-level Execution Tracing2021 IEEE International Mediterranean Conference on Communications and Networking (MeditCom)10.1109/MeditCom49071.2021.9647635(512-518)Online publication date: 7-Sep-2021
https://doi.org/10.1109/MeditCom49071.2021.9647635
Carreon NGilbreath ALysecky R(2020)Statistical Time-based Intrusion Detection in Embedded Systems2020 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE48585.2020.9116369(562-567)Online publication date: Mar-2020
https://doi.org/10.23919/DATE48585.2020.9116369
Carreon NGilbreath ALysecky R(2019)Window-based statistical analysis of timing subcomponents for efficient detection of malware in life-critical systemsProceedings of the Modeling and Simulation in Medicine Symposium10.5555/3338264.3338271(1-12)Online publication date: 29-Apr-2019
https://dl.acm.org/doi/10.5555/3338264.3338271
Zamini MHasheminejad S(2019)A comprehensive survey of anomaly detection in banking, wireless sensor networks, social networks, and healthcareIntelligent Decision Technologies10.3233/IDT-17015513:2(229-270)Online publication date: 17-May-2019
https://doi.org/10.3233/IDT-170155
Carreon NGilbreath ALysecky R(2019)Window-Based Statistical Analysis Of Timing Subcomponents For Efficient Detection Of Malware In Life-Critical Systems2019 Spring Simulation Conference (SpringSim)10.23919/SpringSim.2019.8732899(1-12)Online publication date: Apr-2019
https://doi.org/10.23919/SpringSim.2019.8732899
Wang XHe JXie ZZhao GCheung S(2019)ContractGuard: Defend Ethereum Smart Contracts with Embedded Intrusion DetectionIEEE Transactions on Services Computing10.1109/TSC.2019.2949561(1-1)Online publication date: 2019
https://doi.org/10.1109/TSC.2019.2949561
Koutroumpouchos NNtantogian CMenesidou SLiang KGouvas PXenakis CGiannetsos T(2019)Secure Edge Computing with Lightweight Control-Flow Property-based Attestation2019 IEEE Conference on Network Softwarization (NetSoft)10.1109/NETSOFT.2019.8806658(84-92)Online publication date: Jun-2019
https://doi.org/10.1109/NETSOFT.2019.8806658
Khoshraftar SMahdavi SAn AHu YLiu J(2019)Dynamic Graph Embedding via LSTM History Tracking2019 IEEE International Conference on Data Science and Advanced Analytics (DSAA)10.1109/DSAA.2019.00026(119-127)Online publication date: Oct-2019
https://doi.org/10.1109/DSAA.2019.00026
Nasser AMa D(2019)SecMonQ: An HSM Based Security Monitoring Approach for Protecting AUTOSAR Safety-critical SystemsVehicular Communications10.1016/j.vehcom.2019.100201(100201)Online publication date: Oct-2019
https://doi.org/10.1016/j.vehcom.2019.100201
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents