CuPIDS: Increasing Information System Security through the Use of Dedicated Co-processing

Get BibTex-formatted data

Download

PDF

Author

Paul D. Williams

Tech report number

CERIAS TR 2005-50

Entry type

phdthesis

Abstract

Most past and present intrusion detection systems architectures assume a uni-processor environment or do not explicitly make use of multiple processors when they exist. Yet, especially in the server world, multiple processor machines are commonplace; and with the advent of technologies such as Intel and AMD's multi-core or Hyperthreading technologies, commodity computers are likely to have multiple processors. This research explores how explicitly dividing the system into production and security components and running the components in parallel on different processors can improve the effectiveness of the security system. The production component contains all user tasks and most of the operating system while the security component contains security monitoring and validating tasks and the parts of the O/S that pertain to security. We demonstrate that under some circumstances this architecture allows intrusion detection systems to use monitoring models with higher fidelity, particularly with regard to the timeliness of detection, and will also increase system robustness in the face of some types of attacks. Empirical results with a prototype co-processing intrusion detection system (CuPIDS) architecture support the feasibility of this approach. The construction of the prototype allowed us to demonstrate the implementation costs of the architecture are reasonable. Experimentation using fine-grained protection of real-world applications resulted in about a fifteen percent slowdown while demonstrating CuPIDS' ability to quickly detect and respond to illegitimate behavior.

Download

PDF

Date

2005 – 07 – 25

Institution

CERIAS, Purdue

Key alpha

Williams

School

Purdue

Affiliation

United States Air Force, CERIAS

Publication Date

2005-07-25

Copyright

Paul D. Williams

Subject

Multi-processing security policy compliance monitoring

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Phdthesis{ Williams,
	title = "CuPIDS: Increasing Information System Security through the Use of Dedicated Co-processing",
	author = "Paul D. Williams",
	year = "2005",
	month = "07",
	institution = "CERIAS, Purdue",
	school = "Purdue",
	day = "25",
	abstract = "Most past and present intrusion detection systems architectures
assume a uni-processor environment or do not explicitly make use of
multiple processors when they exist.  Yet, especially in the server
world, multiple processor machines are commonplace; and with the
advent of technologies such as Intel and AMD's multi-core or
Hyperthreading technologies, commodity computers are likely to have
multiple processors.

This research explores how explicitly dividing the system into
production and security components and running the components in
parallel on different processors can improve the effectiveness of
the security system. The production component contains all user
tasks and most of the operating system while the security component
contains security monitoring and validating tasks and the parts of
the O/S that pertain to security.  We demonstrate that under some
circumstances this architecture allows intrusion detection systems
to use monitoring models with higher fidelity, particularly with
regard to the timeliness of detection, and will also increase system
robustness in the face of some types of attacks.

Empirical results with a prototype co-processing intrusion detection
system (CuPIDS) architecture support the feasibility of this
approach. The construction of the prototype allowed us to
demonstrate the implementation costs of the architecture are
reasonable. Experimentation using fine-grained protection of
real-world applications resulted in about a fifteen percent slowdown
while demonstrating CuPIDS' ability to quickly detect and respond to
illegitimate behavior.",
	affiliation = "United States Air Force, CERIAS",
	copyright = "Paul D. Williams",
	subject = "Multi-processing security policy compliance monitoring",
}