Abstract
We propose a framework that uses (external) environment information to enhance computer security. The benefit of our framework is that the environment information is collected by sensors that are outside the control of a host and communicate to an external monitor via an out-of-band channel (w.r.t. the host), thus it cannot be compromised by malware on a host system. The information gathered still remains intact even if malware uses rootkit techniques to hide its activities. Our framework can be applied for a number of security applications: (1) intrusion detection; (2) rate monitoring/control of external resources; and (3) access control. We show that that the framework is useful even with coarse-grained and simple information. We present some experimental prototypes that employ the framework to detect/control email spam, detect/control DDoS zombie attacks and detect misuse of compute resources. Experimental evaluation shows that the framework is effecting in detecting or limiting the activities of such malware. The growing popularity of multimodal sensors and physical security information management systems suggests that such environmental sensors will become common making our framework cost effective and feasible in the near future.
Similar content being viewed by others
References
The Myth of The Four-minute Windows Survival Time, http://www.edbott.com/weblog/?p=2071
Unpatched PC ‘Survival Time’ Just 16 Minutes, http://www.informationweek.com/news/showArticle.jhtml?articleID=29106061
Conficker, http://en.wikipedia.org/wiki/Conficker
MBR Rootkit, A New Breed of Malware, http://www.f-secure.com/weblog/archives/00001393.html
Kumar, S., Sim, T., Janakiraman, R., Zhang, S.: Using continuous biometric verification to protect interactive login sessions. In: ACSAC (2005)
Kwang, G.K., Yap, R.H.C., Sim, T., Ramnath, R.: An usability study of continous biometrics authentication. In: IAPR/IEEE International Conference on Biometrics (2009)
FBI investigates allegations webcam used to monitor student, http://articles.cnn.com/2010-02-20/justice/laptop.suit_1_webcam-district-court-laptop
EasySen SBT80 Product Page, http://www.easysen.com/SBT80.htm
Schiller, C., Fogie, S., DeRodeff, C., Gregg, M.: Infosecurity 2008 Threat Analysis. Page 11. Publisher: Syngress (November 12, 2007)
Wang, H., Zhang, D., Shin, K.G.: Detecting SYN Flooding Attacks. In: IEEE InfoCom (2002)
Basseville M., Nikiforov I.V.: Detection of Abrupt Changes: Theory and Application. Prentice Hall, Englewood Cliffs (1993)
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), July (2009)
Page, E.S.: Continuous Inspection Schemes. Biometrika (1954)
John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using botlab. In: NSDI (2009)
Von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using hard AI problems for security. In: Eurocrypt (2003)
Ardagna, C.A., Cremonini, M., Damiani, E., di Vimercati, S.D.C., Samarati, P.: Supporting location-based conditions in access control policies. In: ACSAC (2006)
Post G., Kagan A.: The Use and Effectiveness of Anti-Virus Software. Computers & Security, 17(7), (1998)
Provos, N.: Improving host security with system call policies. In: USENIX Security (2003)
Halim, F., Ramnath, R., Sufatrio, Wu Y., Yap, R.H.C.: A lightweight binary authentication system for windows. In: IFIPTM (2008)
Ingham, K., Forrest, S.: A history and survey of network firewalls. Technical Report TR-CS-2002-37, University of New Mexico Computer Science Department (2002)
Cui, W., Katz, R.H., Tan, W-.T.: Design and implementation of an extrusion-based break-in detector for personal computers. In: ACSAC (2005)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware infection through IDS-driven dialog correlation. In: USENIX Security (2005)
Yen, T-.F., Reiter, M.K.: Traffic aggregation for Malware detection. In: GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (2008)
Yap, R.H.C., Sim, T., Kwang, G.K., Ramnath, R.: Physical access protection using continuous authentication. In: IEEE Conference on Technologies for Homeland Security (2008)
Ardagna, C.A., Cremonini, M., Damiani, E., di Vimercati, S.D.C., Samarati, P.: Supporting location-based conditions in access control policies. In: ASIACCS (2006)
Siraj, A., Vaughn, R.B., Bridges, S.M.: Intrusion sensor data fusion in an intelligent intrusion detection system architecture. In: HICSS (2004)
Thomas, C., Balakrishnan, N.: Improvement in intrusion detection with advances in sensor fusion. In: IEEE Transactions on Information Forensics and Security (2009)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chang, EC., Lu, L., Wu, Y. et al. Enhancing host security using external environment sensors. Int. J. Inf. Secur. 10, 285–299 (2011). https://doi.org/10.1007/s10207-011-0130-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-011-0130-9