research-article

Software behaviour correlation in a redundant and diverse environment using the concept of trace abstraction

Authors:

Abdelwahab Hamou-Lhadj,

Syed Shariyar Murtaza,

Raphael KhouryAuthors Info & Claims

RACS '13: Proceedings of the 2013 Research in Adaptive and Convergent Systems

Pages 328 - 335

https://doi.org/10.1145/2513228.2513305

Published: 01 October 2013 Publication History

Abstract

Redundancy and diversity has been shown to be an effective approach for ensuring service continuity (an important requirement for autonomic systems) despite the presence of anomalies due to attacks or faults. In this paper, we focus on operating system (OS) diversity, which is useful in helping a system survive kernel-level anomalies. We propose an approach for detecting anomalies in the presence of OS diversity. We achieve this by comparing kernel-level traces generated from instances of the same application deployed on different OS. Our trace correlation process relies on the concept of trace abstraction, in which low-level system events are transformed into higher-level concepts, freeing the trace from OS-related events. We show the effectiveness of our approach through a case study, in which we selected Linux and FreeBSD as target OS. We also report on lessons learned, setting the ground for future research.

References

[1]

Avizienis, A. 1985. The N-Version Approach to Fault-Tolerant Software. IEEE Transactions on Software Engineering, 11(12), 1491--1501.

Digital Library

[2]

Barrantes, E., Forrest S. 2006. Increasing communications security through protocol parameter diversity. In Proceedings of the 32nd Latin-American Conference on Informatics (Santiago, Chile, August 25-26, 2006). CLEI'06.

[3]

Bessani, N., Obelheiro, R. R., Sousa, P., Gashi, I. 2008. On the effects of diversity on intrusion tolerance. Technical Report, Department of Informatics, University of Lisbon, DI/FCUL TR 08--30.

[4]

Bruschi, D., Cavallaro, L., and Lanzi, A. 2007. Diversified Process Replicae for Defeating Memory Error Exploits. In Proceedings of the 3rd International Workshop on Information Assurance (New Orleans, Louisiana, USA, April 11--13, 2007). WIA'07. IEEE Computer Society, 434--441. DOI= 10.1109/PCCC.2007.358924

[5]

Cornelissen, B., Zaidman, A., van Deursen, A., Moonen, L., Koschke, R. 2009. A Systematic Survey of Program Comprehension through Dynamic Analysis. IEEE Transactions on Software Engineering (TSE), 35(5), IEEE Computer Society, 684--702. DOI= 10.1109/TSE.2009.28

Digital Library

[6]

Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., and Hiser, J., 2006. N-Variant Systems: A Secretless Framework for Security through Diversity. In Proceedings of the 15th USENIX Security Symposium (Vancouver, B. C., Canada, July 31-August 4, 2006). USENIX Association, Article No 9.

Digital Library

[7]

Desnoyers, M., and Dagenais, M. R. 2006. The LTTng tracer: A Low Impact Performance and Behavior Monitor for GNU/Linux. In Proceedings of the Ottawa Linux Symposium, 2006.

[8]

Desnoyers, M. 2009. Low-impact operating system tracing. Ph.D. Dissertation, École Polytechnique de Montréal, Montréal, QC, Canada.

[9]

Deswarte, Y., Powell, D. 2004. Intrusion tolerance for Internet applications. In Proceedings of the IFIP 18th World Computer Congress on Building the Information Society (Toulouse, France, August 22-27, 2004). 241--256. DOI= 10.1007/978-1-4020-8157-6_22

[10]

Deswarte, Y., Kanoun, K., Laprie, J.-C. 1998. Diversity against accidental and deliberate faults. In Computer Security, Dependability, and Assurance: From Needs to Solutions (York, UK; Williamsburg, VA, July 7-9, 1998), 171--181. DOI= 10.1109/CSDA.1998.798364

Digital Library

[11]

Eckmann, S., Vigna, G., Kemmerer, R. 2002. STATL: An attack language for state based intrusion detection system. Journal of Computer Security 10(1-2), IOS Press, 71--103.

Digital Library

[12]

Ezzati-Jivan, N., Dagenais, M. R. 2012. Stateful Synthetic Event Generator from Kernel Trace Events. Hindawi Journal on Advances in Software Engineering, Volume 2012 (2012), Article ID 14036. DOI= http://dx.doi.org/10.1155/2012/140368

[13]

Fadel W. 2010. Techniques for the Abstraction of System Call Traces to Facilitate the Understanding of the Behavioural Aspects of the Linux Kernel. Masters thesis, Concordia University, Montreal, QC, Canada. Available online, URL: http://spectrum.library.concordia.ca/7075/

[14]

Forrest, S. Somayaji, A., and Ackley, D. H. 1997. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems (Cape Cod, MA, USA, May 5--6, 1997), 67--72. DOI= 10.1109/HOTOS.1997.595185

Digital Library

[15]

Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A Sense of Self for Unix Processes. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, USA, May 6-8, 1996), 120--128. DOI= 10.1109/SECPRI.1996.502675

Digital Library

[16]

Frossi, A., Maggi, F., Rizzo, G. L., and Zanero, S. 2009. Selecting and Improving System Call Models for Anomaly through System Call Sequence and Argument Analysis. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (Milan, Italy, July 9-10, 2009), 206--223. DOI= 10.1007/978-3-642-02918-9_13

Digital Library

[17]

D. Gao, M. K. Reiter, and D. X. Song, "Behavioral distance measurement using hidden markov models," In Proc. of the 9th International Symposium on Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, pp. 19--40, 2006.

Digital Library

[18]

Gao, D., Reiter, M. K., and Song, D. X. 2009. Beyond Output Voting: Detecting Compromised Replicas Using HMM-Based Behavioral Distance. IEEE Transactions on Dependable and Secure Computing, 6(2), 96--110. DOI= 10.1109/TDSC.2008.39

Digital Library

[19]

Garcia, M., Bessani, A., Gashi, I., Neves, N. and Obelheiro, R. 2011. OS Diversity for Intrusion Tolerance: Myth or Reality? In Proceedings of the International Conference on Dependable Systems and Networks (Hong Kong, China, June 27-30, 2011), 383--394. DOI= 10.1109/DSN.2011.5958251

Digital Library

[20]

Gherbi, A., Charpentier, R., and Couture, M. 2010. Redundancy with diversity based software architectures for the detection and tolerance of cyber-attacks. DRDC Valcartier, Technical Report TM 2010-287.

[21]

Giffin, J. T., Jha, S., and Miller, B. P. 2006. Automated Discovery of Mimicry Attacks. In Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection, Vol. 4219 of Springer Lecture Notes in Computer Science (Hamburg, Germany, September 20-22, 2006), 41--60. DOI=10.1007/11856214_3

Digital Library

[22]

Hamou-Lhadj, A. and Lethbridge, T. 2003. An Efficient Algorithm for Detecting Patterns in Traces of Procedure Calls. In Proceedings of the 1st ICSE International Workshop on Dynamic Analysis (WODA), Available online at http://homes.cs.washington.edu/~mernst/pubs/woda2003-proceedings.pdf#page=33

[23]

Hamou-Lhadj, A. And Lethbridge, T. 2005. SEAT: A Usable Trace Analysis Tool. In Proceedings of the 13th International Workshop on Program Comprehension (St. Louis, Missouri, USA, May 15-16, 2005), 157--160. DOI=10.1109/WPC.2005.30

Digital Library

[24]

Hamou-Lhadj, A. 2006. Techniques to Simplify the Analysis of Execution Traces for Program Comprehension. Ph.D. Dissertation, School of Information Technology and Engineering (SITE), University of Ottawa, Ottawa, ON, Canada.

Digital Library

[25]

Hamou-Lhadj, A., and Lethbridge, T. 2005. Measuring Various Properties of Execution Traces to Help Build Better Trace Analysis Tools. In Proceedings of the 10th International Conference on Engineering of Complex Computer Systems (Shanghai, China, June 16-20, 2005), 559--568. DOI= 10.1109/ICECCS.2005.57

Digital Library

[26]

Hamou-Lhadj, A., and Lethbridge, T. 2004. Reasoning About the Concept of Utilities. ECOOP International Workshop on Practical Problems of Programming in the Large, Oslo, Norway, Lecture Notes in Computer Science (LNCS), Vol 3344, Springer-Verlag, 10--22.

[27]

Hoang, X. D., Hu, J., and Bertok, P. 2009. A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference. Journal Network Computing and Application, 32(6), 1219--1228. DOI= 10.1016/j.jnca.2009.05.004.

Digital Library

[28]

Idris, M., Mehrabian, A., Hamou-Lhadj, A., Khoury, R. 2012. Pattern-Based Trace Correlation Technique for Software Evolution. In Proceedings of the 3^rd International Conference on Autonomous and Intelligent Systems, Springer Lecture Notes in Artificial Intelligence Series (Aveiro, Portugal, June 25--27, 2012), 159--156. DOI= 10.1007/978-3-642-31368-4_19

Digital Library

[29]

Joseph M. K. and Avizienis, A. 1988. A fault tolerance approach to computer viruses. In Proceedings of the International Conference on Security and privacy (Oakland, CA, USA, Apr 18-21, 1988), 52--58. DOI= 10.1109/SECPRI.1988.8097

Digital Library

[30]

Just, J. E., and Cornwell, M. R. 2004. Review and analysis of synthetic diversity for breaking monocultures. In Proceedings of the ACM Workshop on Rapid Malcode, 23--32. DOI= 10.1145/1029618.1029623

Digital Library

[31]

Keromytis, A. D. 2009. Randomized instruction sets and runtime environments past research and future directions. IEEE Security and Privacy, 7(1), 18--25, DOI= 10.1109/MSP.2009.15

Digital Library

[32]

Littlewood, B., Strigini, L. 2004. Redundancy and Diversity in Security. In Proceedings of the 9th European Symposium on Research Computer Security (Sophia Antipolis, France, September 13--15, 2004), 423--438. DOI= 10.1007/978-3-540-30108-0_26

[33]

Matni, G., Dagenais, M. 2009. Automata-based approach for kernel trace analysis. In Proceedings of the Canadian Conference on Electrical and Computer Engineering (St. John's, NL, May 3-6, 2009), 970--973, DOI= 10.1109/CCECE.2009.5090273

[34]

F. Maggi, F., Matteucci, M., Zanero, S. 2010. Detecting Intrusions through System Call Sequence and Argument Analysis. IEEE Transactions on Dependable and Secure Computing, 7(4), 381--395. DOI- 10.1109/TDSC.2008.69.

Digital Library

[35]

Mutz, D., Valeur, F., Kruegel, C., Vigna, G. 2009. Anomalous System Call Detection. ACM Transactions on Information and System Security, 9(1), 61--93. DOI= 10.1145/1127345.1127348.

Digital Library

[36]

Valiente, G. 2001. Simple and efficient tree comparison. Technical Report LSI-01-1-R, Technical University of Catalonia, Department of Software, 2001.

[37]

Yang, W. 1991. Identifying syntactic differences between two programs. Software, Practice and Experience Journal, 21(7), 739--755. DOI= 10.1002/spe.4380210706.

Digital Library

[38]

Xu, J., Kalbarczyk, Z., Iyer, R. K. 2003. Transparent runtime randomization for security. In Proceedings of the 22nd International Symposium on Reliable Distributed Systems (Florence, Italy, Oct.6-18, 2003), 260--269. DOI= 10.1109/RELDIS.2003.1238076.

[39]

Waly, H., Ktari, B. 2011. A Complete Framework for Kernel Trace Analysis. IEEE Canadian Conference on Electrical and Computer Engineering (Niagara Falls, ON, May 8-11, 2011), 1426--1430. DOI= 10.1109/CCECE.2011.6030698.

[40]

Wang, F., Jou, F., Gong, F., Sargor, C., Goseva-Popstojanova, K., Trivedi, K. 2003. SITAR: A Scalable Intrusion-Tolerant Architecture for Distributed Services. In Foundations of Intrusion Tolerant Systems, 153--155. DOI= http://doi.ieeecomputersociety.org/10.1109/FITS.2003.126494.

Cited By

Khoury RHalle S(2022)Are Backdoor Mandates Ethical?—A Position PaperIEEE Technology and Society Magazine10.1109/MTS.2022.321769941:4(63-70)Online publication date: Dec-2022
https://doi.org/10.1109/MTS.2022.3217699
Razgallah AKhoury R(2021)Behavioral classification of Android applications using system calls2021 28th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC53868.2021.00012(43-52)Online publication date: Dec-2021
https://doi.org/10.1109/APSEC53868.2021.00012
Ezzati-Jivan NFournier QDagenais MHamou-Lhadj A(2020)DepGraph: Localizing Performance Bottlenecks in Multi-Core Applications Using Waiting Dependency Graphs and Software Tracing2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM51674.2020.00022(149-159)Online publication date: Sep-2020
https://doi.org/10.1109/SCAM51674.2020.00022
Show More Cited By

Index Terms

Software behaviour correlation in a redundant and diverse environment using the concept of trace abstraction
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Soft: A Software Environment Abstraction Mechanism
LISA '94: Proceedings of the 8th USENIX conference on System administration

In a traditional UNIX environment, software is installed in many different locations across a distributed filesystem. In order to effectively use the software, users must correctly configure their PATH, MANPATH and other related shell environment ...
UNIX as an environment for non-UNIX software development: a case history

Many of the back issues of SEN contain articles about software development environments and software tools. UNIX has historically been cited as an example of a good software development environment. For many developers still struggling with the ...
Jitter-Trace: a low-overhead OS noise tracing tool based on Linux Perf
ROSS '17: Proceedings of the 7th International Workshop on Runtime and Operating Systems for Supercomputers ROSS 2017

Operating System (OS) noise is a well-known phenomenon in which OS activities interfere with the execution of large-scale parallel applications. Due to OS noise, feature-rich software environments such as Linux can seriously affect scalability. Kernel ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

RACS '13: Proceedings of the 2013 Research in Adaptive and Convergent Systems

October 2013

529 pages

ISBN:9781450323482

DOI:10.1145/2513228

Conference Chairs:
Ching Y. Suen
Concordia University, Canada
,
Amir Aghdam
Concordia University, Canada
,
Minyi Guo
Shanghai Jiao Tong University, China
,
Program Chairs:
Jiman Hong
Soongsil University, Korea
,
Esmaeil Nadimi
University of Southern Denmark, Denmark

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing
ACCT: Association of Convergent Computing Technology

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

RACS'13

Sponsor:

SIGAPP
ACCT

RACS'13: Research in Adaptive and Convergent Systems

October 1 - 4, 2013

Quebec, Montreal, Canada

Acceptance Rates

RACS '13 Paper Acceptance Rate 73 of 317 submissions, 23%;

Overall Acceptance Rate 393 of 1,581 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
88
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Khoury RHalle S(2022)Are Backdoor Mandates Ethical?—A Position PaperIEEE Technology and Society Magazine10.1109/MTS.2022.321769941:4(63-70)Online publication date: Dec-2022
https://doi.org/10.1109/MTS.2022.3217699
Razgallah AKhoury R(2021)Behavioral classification of Android applications using system calls2021 28th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC53868.2021.00012(43-52)Online publication date: Dec-2021
https://doi.org/10.1109/APSEC53868.2021.00012
Ezzati-Jivan NFournier QDagenais MHamou-Lhadj A(2020)DepGraph: Localizing Performance Bottlenecks in Multi-Core Applications Using Waiting Dependency Graphs and Software Tracing2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM51674.2020.00022(149-159)Online publication date: Sep-2020
https://doi.org/10.1109/SCAM51674.2020.00022
Fournier QEzzati-jivan NAloise DDagenais M(2019)Automatic Cause Detection of Performance Problems in Web Applications2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW.2019.00102(398-405)Online publication date: Oct-2019
https://doi.org/10.1109/ISSREW.2019.00102
Ezzati-Jivan NBastien GDagenais M(2018)High latency cause detection using multilevel dynamic analysis2018 Annual IEEE International Systems Conference (SysCon)10.1109/SYSCON.2018.8369613(1-8)Online publication date: Apr-2018
https://doi.org/10.1109/SYSCON.2018.8369613
Doray FDagenais M(2017)Diagnosing Performance Variations by Comparing Multi-Level Execution TracesIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2016.256739028:2(462-474)Online publication date: 1-Feb-2017
https://dl.acm.org/doi/10.1109/TPDS.2016.2567390
Wininger FEzzati-Jivan NDagenais M(2017)A declarative framework for stateful analysis of execution tracesSoftware Quality Journal10.1007/s11219-016-9311-025:1(201-229)Online publication date: 1-Mar-2017
https://dl.acm.org/doi/10.1007/s11219-016-9311-0
Liao YLangweg HBoudriga NRekhis S(2014)Cost-benefit analysis of kernel tracing systems for forensic readinessProceedings of the 2nd international workshop on Security and forensics in communication systems10.1145/2598918.2598921(25-36)Online publication date: 3-Jun-2014
https://dl.acm.org/doi/10.1145/2598918.2598921

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten