2,233 research outputs found
An Immune Inspired Approach to Anomaly Detection
The immune system provides a rich metaphor for computer security: anomaly
detection that works in nature should work for machines. However, early
artificial immune system approaches for computer security had only limited
success. Arguably, this was due to these artificial systems being based on too
simplistic a view of the immune system. We present here a second generation
artificial immune system for process anomaly detection. It improves on earlier
systems by having different artificial cell types that process information.
Following detailed information about how to build such second generation
systems, we find that communication between cells types is key to performance.
Through realistic testing and validation we show that second generation
artificial immune systems are capable of anomaly detection beyond generic
system policies. The paper concludes with a discussion and outline of the next
steps in this exciting area of computer security.Comment: 19 pages, 4 tables, 2 figures, Handbook of Research on Information
Security and Assuranc
Monitoring Partially Synchronous Distributed Systems using SMT Solvers
In this paper, we discuss the feasibility of monitoring partially synchronous
distributed systems to detect latent bugs, i.e., errors caused by concurrency
and race conditions among concurrent processes. We present a monitoring
framework where we model both system constraints and latent bugs as
Satisfiability Modulo Theories (SMT) formulas, and we detect the presence of
latent bugs using an SMT solver. We demonstrate the feasibility of our
framework using both synthetic applications where latent bugs occur at any time
with random probability and an application involving exclusive access to a
shared resource with a subtle timing bug. We illustrate how the time required
for verification is affected by parameters such as communication frequency,
latency, and clock skew. Our results show that our framework can be used for
real-life applications, and because our framework uses SMT solvers, the range
of appropriate applications will increase as these solvers become more
efficient over time.Comment: Technical Report corresponding to the paper accepted at Runtime
Verification (RV) 201
Dynamic and Transparent Analysis of Commodity Production Systems
We propose a framework that provides a programming interface to perform
complex dynamic system-level analyses of deployed production systems. By
leveraging hardware support for virtualization available nowadays on all
commodity machines, our framework is completely transparent to the system under
analysis and it guarantees isolation of the analysis tools running on its top.
Thus, the internals of the kernel of the running system needs not to be
modified and the whole platform runs unaware of the framework. Moreover, errors
in the analysis tools do not affect the running system and the framework. This
is accomplished by installing a minimalistic virtual machine monitor and
migrating the system, as it runs, into a virtual machine. In order to
demonstrate the potentials of our framework we developed an interactive kernel
debugger, nicknamed HyperDbg. HyperDbg can be used to debug any critical kernel
component, and even to single step the execution of exception and interrupt
handlers.Comment: 10 pages, To appear in the 25th IEEE/ACM International Conference on
Automated Software Engineering, Antwerp, Belgium, 20-24 September 201
FPGA based remote code integrity verification of programs in distributed embedded systems
The explosive growth of networked embedded systems has made ubiquitous and pervasive computing a reality. However, there are still a number of new challenges to its widespread adoption that include scalability, availability, and, especially, security of software. Among the different challenges in software security, the problem of remote-code integrity verification is still waiting for efficient solutions. This paper proposes the use of reconfigurable computing to build a consistent architecture for generation of attestations (proofs) of code integrity for an executing program as well as to deliver them to the designated verification entity. Remote dynamic update of reconfigurable devices is also exploited to increase the complexity of mounting attacks in a real-word environment. The proposed solution perfectly fits embedded devices that are nowadays commonly equipped with reconfigurable hardware components that are exploited to solve different computational problems
Rootkit Guard (RG) - an architecture for rootkit resistant file-system implementation based on TPM
Recent rootkit-attack mitigation work neglected to address the integrity of the mitigation tool itself. Both detection and prevention arms of current rootkit-attack mitigation solutions can be given credit for the advancement of multiple methodologies for rootkit defense but if the defense system itself is compromised, how is the defense system to be trusted? Another deficiency not addressed is how platform integrity can be preserved without availability of current RIDS or RIPS solutions, which operate only upon the loading of the kernel i.e. without availability of a trusted boot environment. To address these deficiencies, we present our architecture for solving rootkit persistence – Rootkit Guard (RG). RG is a marriage between TrustedGRUB (providing trusted boot), IMA (Integrity Measurement Architecture) (serves as RIDS) and SELinux (serves as RIPS). TPM hardware is utilised to provide total integrity of our platform via storage of the aggregate of the clean snapshot of our platform OS kernel into TPM hardware registers (i.e. the PCR) – of which no software attacks have been demonstrated to date. RG solves rootkit persistence by leveraging on one vital but simple strategy: the mounting of rootkit defense via prevention of the execution of configuration binaries or build initialisation scripts. We adopted the technique of rootkit persistence prevention via thwarting the initialisation of a rootkit’s installation procedure; if the rootkit is successfully installed, proper deployment via thwarting of the rootkit’s configuration is prevented. We had subjected the RG to 8 real world Linux 2.6 rootkits and the RG was successful in solving rootkit persistence in all 8 evaluated rootkits. In terms of performance, the RG introduced a maximum of 11% overhead and an average of 4% overhead, hence permitting deployment in production environments
Automated Approach to Intrusion Detection in VM-based Dynamic Execution Environment
Because virtual computing platforms are dynamically changing, it is difficult to build high-quality intrusion detection system. In this paper, we present an automated approach to intrusions detection in order to maintain sufficient performance and reduce dependence on execution environment. We discuss a hidden Markov model strategy for abnormality detection using frequent system call sequences, letting us identify attacks and intrusions automatically and efficiently. We also propose an automated mining algorithm, named AGAS, to generate frequent system call sequences. In our approach, the detection performance is adaptively tuned according to the execution state every period. To improve performance, the period value is also under self-adjustment
Detecting Network-Based Obfuscated Code Injection Attacks Using Sandboxing
Intrusion detection systems (IDSs) are widely recognised as the last line of defence often used to enable incident response when intrusion prevention mechanisms are ineffective, or have been compromised. A signature based network IDS (NIDS) which operates by comparing network traffic to a database of suspicious activity patterns (known as signatures) is a popular solution due to its ease of deployment and relatively low false positive (incorrect alert) rate. Lately, attack developers have focused on developing stealthy attacks designed to evade NIDS. One technique used to accomplish this is to obfuscate the shellcode (the executable component of an attack) so that it does not resemble the signatures the IDS uses to identify the attacks but is still logically equivalent to the clear-text attacks when executed. We present an approach to detect obfuscated code injection attacks, an approach which compensates for efforts to evade IDSs. This is achieved by executing those network traffic segments that are judged potentially to contain executable code and monitoring the execution to detect operating system calls which are a necessary component of any such code. This detection method is based not on how the injected code is represented but rather on the actions it performs. Correct configuration of the IDS at deployment time is crucial for correct operation when this approach is taken, in particular, the examined executable code must be executed in an environment identical to the execution environment of the host the IDS is monitoring with regards to both operating system and architecture. We have implemented a prototype detector that is capable of detecting obfuscated shellcodes in a Linux environment, and demonstrate how it can be used to detect new or previously unseen code injection attacks and obfuscated attacks as well as well known attacks
Building an Emulation Environment for Cyber Security Analyses of Complex Networked Systems
Computer networks are undergoing a phenomenal growth, driven by the rapidly
increasing number of nodes constituting the networks. At the same time, the
number of security threats on Internet and intranet networks is constantly
growing, and the testing and experimentation of cyber defense solutions
requires the availability of separate, test environments that best emulate the
complexity of a real system. Such environments support the deployment and
monitoring of complex mission-driven network scenarios, thus enabling the study
of cyber defense strategies under real and controllable traffic and attack
scenarios. In this paper, we propose a methodology that makes use of a
combination of techniques of network and security assessment, and the use of
cloud technologies to build an emulation environment with adjustable degree of
affinity with respect to actual reference networks or planned systems. As a
byproduct, starting from a specific study case, we collected a dataset
consisting of complete network traces comprising benign and malicious traffic,
which is feature-rich and publicly available
- …