15,365 research outputs found
Identifying Native Applications with High Assurance
The work described in this paper investigates the problem
of identifying and deterring stealthy malicious processes on
a host. We point out the lack of strong application iden-
tication in main stream operating systems. We solve the
application identication problem by proposing a novel iden-
tication model in which user-level applications are required
to present identication proofs at run time to be authenti-
cated by the kernel using an embedded secret key. The se-
cret key of an application is registered with a trusted kernel
using a key registrar and is used to uniquely authenticate
and authorize the application. We present a protocol for
secure authentication of applications. Additionally, we de-
velop a system call monitoring architecture that uses our
model to verify the identity of applications when making
critical system calls. Our system call monitoring can be
integrated with existing policy specication frameworks to
enforce application-level access rights. We implement and
evaluate a prototype of our monitoring architecture in Linux
as device drivers with nearly no modication of the ker-
nel. The results from our extensive performance evaluation
shows that our prototype incurs low overhead, indicating the
feasibility of our model
Comparison of System Call Representations for Intrusion Detection
Over the years, artificial neural networks have been applied successfully in
many areas including IT security. Yet, neural networks can only process
continuous input data. This is particularly challenging for security-related
non-continuous data like system calls. This work focuses on four different
options to preprocess sequences of system calls so that they can be processed
by neural networks. These input options are based on one-hot encoding and
learning word2vec or GloVe representations of system calls. As an additional
option, we analyze if the mapping of system calls to their respective kernel
modules is an adequate generalization step for (a) replacing system calls or
(b) enhancing system call data with additional information regarding their
context. However, when performing such preprocessing steps it is important to
ensure that no relevant information is lost during the process. The overall
objective of system call based intrusion detection is to categorize sequences
of system calls as benign or malicious behavior. Therefore, this scenario is
used to evaluate the different input options as a classification task. The
results show, that each of the four different methods is a valid option when
preprocessing input data, but the use of kernel modules only is not recommended
because too much information is being lost during the mapping process.Comment: 12 pages, 1 figure, submitted to CISIS 201
Design and implementation of a multi-modal biometric system for company access control
This paper is about the design, implementation, and deployment of a multi-modal biometric system to grant access to a company structure and to internal zones in the company itself. Face and iris have been chosen as biometric traits. Face is feasible for non-intrusive checking with a minimum cooperation from the subject, while iris supports very accurate recognition procedure at a higher grade of invasivity. The recognition of the face trait is based on the Local Binary Patterns histograms, and the Daughman\u2019s method is implemented for the analysis of the iris data. The recognition process may require either the acquisition of the user\u2019s face only or the serial acquisition of both the user\u2019s face and iris, depending on the confidence level of the decision with respect to the set of security levels and requirements, stated in a formal way in the Service Level Agreement at a negotiation phase. The quality of the decision depends on the setting of proper different thresholds in the decision modules for the two biometric traits. Any time the quality of the decision is not good enough, the system activates proper rules, which ask for new acquisitions (and decisions), possibly with different threshold values, resulting in a system not with a fixed and predefined behaviour, but one which complies with the actual acquisition context. Rules are formalized as deduction rules and grouped together to represent \u201cresponse behaviors\u201d according to the previous analysis. Therefore, there are different possible working flows, since the actual response of the recognition process depends on the output of the decision making modules that compose the system. Finally, the deployment phase is described, together with the results from the testing, based on the AT&T Face Database and the UBIRIS database
- …