ABSTRACT
A new approach for detecting security attacks on software systems by monitoring the software system performance signatures is introduced. We present a proposed architecture for security intrusion detection using off-the-shelf security monitoring tools and performance signatures. Our approach relies on the assumption that the performance signature of the well-behaved system can be measured and that the performance signature of several types of attacks can be identified. This assumption has been validated for operations support systems that are used to monitor large infrastructures and receive aggregated traffic that is periodic in nature. Examples of such infrastructures include telecommunications systems, transportation systems and power generation systems. In addition, significant deviation from well-behaved system performance signatures can be used to trigger alerts about new types of security attacks. We used a custom performance benchmark and five types of security attacks to derive performance signatures for the normal mode of operation and the security attack mode of operation. We observed that one of the types of the security attacks went undetected by the off-the-shelf security monitoring tools but was detected by our approach of monitoring performance signatures. We conclude that an architecture for security intrusion detection can be effectively complemented by monitoring of performance signatures.
- A. Avritzer and E.J. Weyuker. The Automatic Generation of Load Test Suites and the Assessment of the Resulting Software. IEEE Trans. on Software Engineering, Sept 1995, pp. 705--716. Google ScholarDigital Library
- A. Avritzer and E.J. Weyuker, Detecting failed processes using fault signatures, International Computer Performance and Dependability Symposium, July, 1996. Google ScholarDigital Library
- A. Avritzer and E.J. Weyuker, Monitoring Smoothly Degrading Systems for Increased Dependability, Empirical Software Engineering, Springer Netherlands, March 1997. Google ScholarDigital Library
- A. Avritzer, J.P. Ros and E.J. Weyuker, Estimating the CPU utilization of a rule-based system, Proc. Fourth International Workshop on Software and Performance 2004, Redwood Shores, California, Jan, 2004, pp. 1--12. Google ScholarDigital Library
- A. Avritzer, A. Bondi and E.J. Weyuker, Ensuring Stable Performance for Systems that Degrade, Proc. Fifth International Workshop on Software and Performance 2005, Palma de Mallorca, Spain, July, 2005, pp. 43--51. Google ScholarDigital Library
- A. Avritzer, R.G. Cole and E.J. Weyuker, Using performance signatures and software rejuvenation for worm mitigation in tactical MANETs, Proc. Sixth International Workshop on Software and Performance 2007, Buenos Aires, Argentina, February, 2007, pp. 172--180. Google ScholarDigital Library
- W. Diffie and M.E. Hellman, New directions in cryptography. IEEE Transactions on Information Theory, vol IT-22, Nov 1976, pp:644--654.Google Scholar
- S.A. Hofmeyr and S. Forrest and A. Somayaji, Intrusion Detection Using Sequences of System Calls. Journal of Computer Security, vol 6, No 3, 1998, pp 151--180. Google ScholarDigital Library
- Y. Huang, C. Kintala, N. Kolettis, and N.D. Fulton, Software rejuvenation:Analysis, module and applications. Proc. Twenty-fifth International Symp. on Fault-Tolerant Computing, 1995, pp. 381--390. Google ScholarDigital Library
- IBM Cryptography Research Group. http://domino.research.ibm.com/securityGoogle Scholar
- D. Khan. The code breakers. Macmillan, 1967.Google Scholar
- R. Mariani. Performance Signature: A qualitative approach to dependence guidance. International Computer Measurement Group Conference, pp 469--474, 2006.Google Scholar
- D.L .Oppenheimer and M.R. Martonosi, Performance Signatures: A Mechanism for Intrusion Detection. Proceedings of the 1997 IEEE Information Survivability Workshop, 1997. http://www.sysnet.ucsd.edu/ davidopp/pubs/perfsig.html.Google Scholar
- R.L. Rivest, A. Shamir and L. Adleman. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, Feb. 1978, pp 120--126. Google ScholarDigital Library
- http://www.wired.com/threatlevel/2009/01/professedtwitt/Google Scholar
- Snort http://www.snort.org/Google Scholar
- Cain & Abel http://www.oxid.it/cain.htmlGoogle Scholar
- Wireshark http://www.wireshark.org/Google Scholar
- Hyperic Sigar http://www.hyperic.com/products/sigar.htmlGoogle Scholar
- DoSHttp http://www.socketsoft.net/Google Scholar
- Base http://base.secureideas.net/Google Scholar
- CurrPorts http://www.nirsoft.net/utils/cports.htmlGoogle Scholar
- SysTracer http://www.blueproject.ro/systracerGoogle Scholar
Index Terms
- Monitoring for security intrusion using performance signatures
Recommendations
Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityMany network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...
Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityBotnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
Security Arguments for Digital Signatures and Blind Signatures
Since the appearance of public-key cryptography in the seminal Diffie--Hellman paper, many new schemes have been proposed and many have been broken. Thus, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years ...
Comments